Results 1 to 8 of 8
  1. #1
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294

    nginx security advisory (CVE-2013-4547)

    http://mailman.nginx.org/pipermail/n...13/000125.html

    Ivan Fratric of the Google Security Team discovered a bug in nginx,
    which might allow an attacker to bypass security restrictions in certain
    configurations by using a specially crafted request, or might have
    potential other impact (CVE-2013-4547).
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  2. Thread Summary A vulnerability identified by a Google Security Team member for nginx is discussed. The flaw could allow hackers to access some configurations.

    An update to fix the problem was released on December 17, 2013. Since then, another mainline version update has occurred.

    nginx users should update if they haven't already done so.

    From the nginx site:

    2013-12-17
    nginx-1.5.8 mainline version has been released.

    2013-11-19
    nginx-1.4.4 stable and nginx-1.5.7 mainline versions have been released, with a fix for the request line parsing vulnerability in nginx 0.8.41 - 1.5.6 discovered by Ivan Fratric of the Google Security Team (CVE-2013-4547).

    http://nginx.org/

    Contributors: FrancesK

  3. #2
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    This would potentially have similar impact to:
    http://cnedelcu.blogspot.com/2010/05...important.html
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  4. #3
    Join Date
    Dec 2010
    Location
    Good question
    Posts
    693
    Updated, ty for the notif man

  5. #4
    Join Date
    Nov 2013
    Posts
    34
    Does this affect cp nginx?

  6. #5
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Quote Originally Posted by raidfanatic View Post
    Does this affect cp nginx?
    Potentially yes.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  7. #6
    Join Date
    Apr 2005
    Posts
    1,711
    Looks like github got updated already:

    https://github.com/nginx/nginx/commi...2b306d3d03aa55
    Zach E. - Kualowww.kualo.com
    Shared Web Hosting, Reseller Hosting, Cloud VPS & Dedicated Servers
    UK: 0800 138 3235 ❘ USA: 1-800-995-8256

  8. #7
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Yeah if you go backwards one page in their mailinglist you will see:
    http://mailman.nginx.org/pipermail/n...13/000124.html
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  9. #8

    nginx security patch

    all versions from 0.8.41 through to 1.4.3 are affected.

    This flow allows an attacker to bypass some URL access restriction by adding a bulk character in the URL.

    CVSS scoring is 7.5, so it's quite critical, but not a remote root exploit neither.

    I recommend update anyway.

    Mark.

Similar Threads

  1. cPanel Security Advisory 8-20-2013 (PHP 5.4.18 - EasyApache)
    By Patrick in forum Hosting Security and Technology
    Replies: 5
    Last Post: 08-23-2013, 04:09 AM
  2. cPanel Security Advisory 8-21-2013 (PHP 5.5.2 - EasyApache)
    By Patrick in forum Hosting Security and Technology
    Replies: 6
    Last Post: 08-21-2013, 03:04 PM
  3. cPanel - Security Advisory 2013-07-23 - Multiple CVE's
    By Steven in forum Hosting Security and Technology
    Replies: 0
    Last Post: 07-24-2013, 01:16 PM
  4. cPanel Security Advisory CVE-2013-2765
    By Technolojesus in forum Hosting Security and Technology
    Replies: 0
    Last Post: 07-22-2013, 06:14 PM
  5. cPanel advisory Critical: Exim security update (CVE-2010-4345)
    By QuickWeb-Roel in forum Hosting Software and Control Panels
    Replies: 11
    Last Post: 12-11-2010, 06:34 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •