Weird problem with redirects

Sun Aug 21 10:53:01 UTC 2016

Hello everyone,

I finally understand what's going on here...

http://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/10236/python-http-proxy-header-injection-vulnerability-cve20161000110

I have been a victim of this attack, nginx is also affected, is there 
any patch for this new vulnerability?

Thank you,
Hamza

> Hamza Aboulfeth <mailto:h.aboulfeth at genious.net>
> August 13, 2016 at 6:36 PM
> Hello,
>
> We have formatted the server and installed everything over again, a 
> week later the same problem occurred. All redirects are actually sent 
> from time to time to another host:
>
> [root at genious106 ~]# curl -IL -H "host: hespress.com" xx.xx.xx.xx
> HTTP/1.1 301 Moved Permanently
> Server: nginx/1.10.1
> Date: Sat, 13 Aug 2016 13:31:28 GMT
> Content-Type: text/html
> Content-Length: 185
> Connection: keep-alive
> Location: http://1755118211
> .com/
> dbg-redirect: nginx
>
> HTTP/1.1 302 Found
> Server: nginx/1.2.1
> Date: Sat, 13 Aug 2016 13:31:17 GMT
> Content-Type: text/html; charset=iso-8859-1
> Connection: keep-alive
> Set-Cookie: 
> orgje=2PUrADQAAgABACUhr1f__yUhr1dAAAEAAAAlIa9XMgACAAEAJSGvV___JSGvVwA-; expires=Sun, 
> 13-Aug-2017 13:31:17 GMT; path=/; domain=traffsell.com
> Location: http://triuch.com/6lo1I
>
> HTTP/1.1 200 OK
> Server: nginx
> Date: Sat, 13 Aug 2016 13:31:17 GMT
> Content-Type: text/html; charset=utf-8
> Connection: keep-alive
> Vary: Accept-Encoding
> Vary: Accept-Encoding
>
> [root at genious106 ~]#
>
> Even php redirect requests are rerouted.
>
> Please advice,
> Hamza
>
> Francis Daly <mailto:francis at daoine.org>
> July 16, 2016 at 8:47 AM
> On Fri, Jul 15, 2016 at 10:58:07PM +0100, Hamza Aboulfeth wrote:
>
> Hi there,
>
>
> If that x.x.x.x is enough to make sure that this request gets to your
> nginx, then your nginx config is probably involved.
>
> If this only started yesterday, then changes since yesterday (or since
> your nginx was last restarted before yesterday) are probably most
> interesting.
>
> And as a very long shot: if you can "tcpdump" to see that nginx is sending
> one thing, but the client is receiving something else, then you'll want
> to look outside nginx at something else interfering with the traffic.
>
> Good luck with it,
>
> f
> Hamza Aboulfeth <mailto:h.aboulfeth at genious.Net>
> July 15, 2016 at 10:58 PM
> Hello,
>
> I have a weird problem that suddenly appeared on a client's website 
> yesterday. We have a redirection from non www to www and sometimes the 
> redirection sends somewhere else:
>
> [root at genious33 nginx-1.11.2]# curl -IL -H "host: hespress.com" x.x.x.x
> HTTP/1.1 301 Moved Permanently
> Server: nginx/1.11.2
> Date: Fri, 15 Jul 2016 21:54:06 GMT
> Content-Type: text/html
> Content-Length: 185
> Connection: keep-alive
> Location: http://1755118213
> .com/
> dbg-redirect: nginx
>
> HTTP/1.1 302 Found
> Server: nginx/1.2.1
> Date: Fri, 15 Jul 2016 21:52:37 GMT
> Content-Type: text/html; charset=iso-8859-1
> Connection: keep-alive
> Set-Cookie: orgje=JbgbADQAAgABACVbiVf__yVbiVdAAAEAAAAlW4lXAA--; 
> expires=Sat, 15-Jul-2017 21:52:37 GMT; path=/; domain=traffsell.com
> Location: http://m.xxx.com/
>
> HTTP/1.1 200 OK
> Date: Fri, 15 Jul 2016 21:52:37 GMT
> Content-Type: text/html; charset=UTF-8
> Connection: keep-alive
> Set-Cookie: __cfduid=d5624eb7a789e21f082873681ec36a41b1468619557; 
> expires=Sat, 15-Jul-17 21:52:37 GMT; path=/; domain=.hibapress.com; 
> HttpOnly
> X-Powered-By: PHP/5.3.27
> X-LiteSpeed-Cache: hit
> Vary: Accept-Encoding
> X-Turbo-Charged-By: LiteSpeed
> Server: cloudflare-nginx
> CF-RAY: 2c307148667c3f77-YUL
>
> Sometimes it acts as it should sometimes it redirect somewhere else
>
> If you have any clue about what's happening, do help me :)
>
> Thank you,
> Hamza
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20160821/5dbdf7aa/attachment.html>