[security advisory] http://wiki.nginx.org/Redmine
Gena Makhomed
gmm at csdoc.com
Mon Mar 9 18:24:43 UTC 2015
On 09.03.2015 19:25, Francis Daly wrote:
>>> From reading the redmine docs, it looks like the contents of the "root"
>>> directive directory should be whatever is in the distributed redmine
>>> public/ directory; not the entire installation including configuration.
>>
>> I am talk about configuration recommended
>> at webpage http://wiki.nginx.org/Redmine
>> not about "reading the redmine docs".
>
> But the user must have followed some documentation to install redmine in
> the first place; and if they unthinkingly install it into /var/www/redmine
> they are probably doing something wrong before nginx gets involved.
redmine documentation:
http://www.redmine.org/projects/redmine/wiki/RedmineInstall
don't forbid users to install redmine into /var/www/redmine
even more, redmine documentation:
http://www.redmine.org/projects/redmine/wiki/HowTo_install_Redmine_on_CentOS_5
RECOMMENDS to install redmine into /var/www/redmine
see: "Configure /var/www/redmine/config/database.yml"
http://www.redmine.org/projects/redmine/wiki/How_to_Install_Redmine_on_CentOS_(Detailed)
see: "Configure /var/www/redmine/config/database.yml"
also, FHS http://www.pathname.com/fhs/pub/fhs-2.3.html
don't say what /var/www/.... must contain only "static" files.
> I see instructions to install to /opt/redmine, and to /var/lib/redmine,
> and to /usr/share/redmine, and in each case they say to do something like
>
> ln -s /usr/share/redmine/public /var/www/redmine
>
> to have only the web-accessible content below /var/www/redmine.
I don't see such instructions at the http://wiki.nginx.org/Redmine
> If the user really wants to install to /var/www/redmine, then they must
> modify the "root" directive (to be /var/www/redmine/public), as the
> words on the wiki page already say.
I modify root directive,
but change /var/www/redmine to /home/www/redmine
and all works fine, but with vulnerability.
User must guess than they must change from "root /var/www/redmine;"
to "root /var/www/redmine/public;" to fix this unobvious vulnerability?
> I do not see this as an nginx-related security problem.
As I already say, this is not nginx-related security problem,
it was by default vulnerable configuration as wiki recommendation.
>>> And if /var/www/redmine does just have the public/ contents and the
>>> upstream servers reveal secret information, that would be their problem
>>> and not nginx's, I think.
>>
>> root /var/www/redmine;
>> try_files $uri @ruby;
>>
>> Request https://redmine.example.com/config/database.yml will be
>> processed by nginx, because file /var/www/redmine/config/database.yml
>> exists. For details - see manual about try_files directive in nginx.
>
> The file /var/www/redmine/config/database.yml should not exist.
it MUST exists, because redmine install
instructions suppose that such file exists:
"Configure /var/www/redmine/config/database.yml"
> If the file /var/www/redmine/config/database.yml does exist and the
> above nginx configuration is used, then the user will find that no part
> of their redmine web-related installation will work, because all of the
> images and stylesheets and javascripts are inaccessible.
No, if nginx frontend can't process such non-existend files,
it just silently proxy request to backend and backend process
such request without any problems.
So, this security vulnerability will be *invisible* for users.
Try it youself, if you don't believe me.
> Correspondingly, if the user has installed only web content below
> /var/www, then using a different "root" directive will cause that
> installation not to work.
redmine documentation at redmine site recomments install
entire redmine into /var/www/redmine directory, not only public content.
--
Best regards,
Gena
More information about the nginx
mailing list