Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Found Nginx configuration vulnerability #118

Closed
joglomedia opened this issue Dec 5, 2021 · 0 comments
Closed

Found Nginx configuration vulnerability #118

joglomedia opened this issue Dec 5, 2021 · 0 comments
Assignees
@joglomedia
Labels
bug

Comments

@joglomedia
Copy link
Owner

joglomedia commented Dec 5, 2021
edited
Loading

Describe the Issue / Bug

$ gixy etc/nginx/vhost/site_wordpress-ms.conf 

==================== Results ===================

>> Problem: [http_splitting] Possible HTTP-Splitting vulnerability.
Description: Using variables that can contain "\n" or "\r" may lead to http injection.
Additional info: https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md
Reason: At least variable "$uri" can contain "\n"
Pseudo config:

if (!-e $request_filename) {
	rewrite /wp-admin$ $scheme://$host$uri/ permanent;
}

------------------------------------------------

>> Problem: [alias_traversal] Path traversal via misconfigured alias.
Description: Using alias in a prefixed location that doesn't ends with directory separator could lead to path traversal vulnerability. 
Additional info: https://github.com/yandex/gixy/blob/master/docs/en/plugins/aliastraversal.md
Pseudo config:

location ^~ /blogs.dir {
	alias $root_path/wp-content/blogs.dir;
}

==================== Summary ===================
Total issues:
    Unspecified: 0
    Low: 0
    Medium: 1
    High: 1
$ gixy etc/nginx/vhost/site_wordpress-bwps.conf 

==================== Results ===================

>> Problem: [origins] Validation regex for "origin" or "referrer" matches untrusted domain.
Description: Improve the regular expression to match only trusted referrers.
Additional info: https://github.com/yandex/gixy/blob/master/docs/en/plugins/origins.md
Reason: Regex matches "http://evil.com/wp-admin.evil.com" as a valid referrer.
Pseudo config:

if ($http_referer !~* wp-admin) {
}

------------------------------------------------

>> Problem: [origins] Validation regex for "origin" or "referrer" matches untrusted domain.
Description: Improve the regular expression to match only trusted referrers.
Additional info: https://github.com/yandex/gixy/blob/master/docs/en/plugins/origins.md
Reason: Regex matches "http://evil.com/wp-login/php.evil.com" as a valid referrer.
Pseudo config:

if ($http_referer !~* wp-login.php) {
}

------------------------------------------------

>> Problem: [origins] Validation regex for "origin" or "referrer" matches untrusted domain.
Description: Improve the regular expression to match only trusted referrers.
Additional info: https://github.com/yandex/gixy/blob/master/docs/en/plugins/origins.md
Reason: Regex matches "http://evil.com/login.evil.com" as a valid referrer.
Pseudo config:

if ($http_referer !~* login) {
}

------------------------------------------------

>> Problem: [origins] Validation regex for "origin" or "referrer" matches untrusted domain.
Description: Improve the regular expression to match only trusted referrers.
Additional info: https://github.com/yandex/gixy/blob/master/docs/en/plugins/origins.md
Reason: Regex matches "http://evil.com/dashboard.evil.com" as a valid referrer.
Pseudo config:

if ($http_referer !~* dashboard) {
}

------------------------------------------------

>> Problem: [origins] Validation regex for "origin" or "referrer" matches untrusted domain.
Description: Improve the regular expression to match only trusted referrers.
Additional info: https://github.com/yandex/gixy/blob/master/docs/en/plugins/origins.md
Reason: Regex matches "http://evil.com/register.evil.com" as a valid referrer.
Pseudo config:

if ($http_referer !~* register) {
}

==================== Summary ===================
Total issues:
    Unspecified: 0
    Low: 0
    Medium: 0
    High: 0

To Reproduce
Steps to reproduce the behavior:

Expected Behavior
A clear and concise description of what you expected to happen.

Screenshots / Screen Cast
If applicable, add screenshots / screen cast to help explain your problem.

Config File (.env)
If applicable, add part of your non-sensitive data from configuration file (.env).

System Information (please complete the following information):

  • OS: [e.g. Linux Mint 19.3 Tricia x86_64 ]
  • Shell: [e.g. bash 4.4.20]
  • Version [e.g. 2.0.0]

Additional Context
Add any other context about the problem here.
@joglomedia joglomedia self-assigned this Dec 5, 2021
joglomedia added a commit that referenced this issue Dec 11, 2021
@joglomedia
Fix issue #118
7c3fb8f
joglomedia added a commit that referenced this issue Dec 11, 2021
@joglomedia
Fix issues #114 #117 #118
3ef52ba
@joglomedia joglomedia added the bug label Dec 24, 2021
@joglomedia joglomedia mentioned this issue Jan 11, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joglomedia joglomedia

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@joglomedia