49 messages in ru.sysoev.nginxRe: nginx 0day exploit for nginx + fa...| From | Sent On | Attachments |
|---|---|---|
| Avleen Vig | May 21, 2010 10:06 am | |
| Avleen Vig | May 21, 2010 10:26 am | |
| Michael Shadle | May 21, 2010 10:27 am | |
| Igor Sysoev | May 21, 2010 10:32 am | |
| Igor Sysoev | May 21, 2010 10:39 am | |
| Michael Shadle | May 21, 2010 10:47 am | |
| Igor Sysoev | May 21, 2010 11:11 am | |
| Ian Evans | May 21, 2010 11:25 am | |
| Michael Shadle | May 21, 2010 11:35 am | |
| Igor Sysoev | May 21, 2010 11:36 am | |
| Ian M. Evans | May 21, 2010 12:03 pm | |
| Jérôme Loyet | May 21, 2010 12:44 pm | |
| Igor Sysoev | May 21, 2010 1:38 pm | |
| Ian Evans | May 21, 2010 1:49 pm | |
| brianmercer | May 21, 2010 2:02 pm | |
| Igor Sysoev | May 21, 2010 2:17 pm | |
| Ian Evans | May 21, 2010 2:50 pm | |
| Cliff Wells | May 21, 2010 5:56 pm | |
| Grzegorz Sienko | May 21, 2010 6:17 pm | |
| Michael Shadle | May 21, 2010 6:30 pm | |
| Cliff Wells | May 21, 2010 7:37 pm | |
| Ian M. Evans | May 21, 2010 10:23 pm | |
| Igor Sysoev | May 21, 2010 10:27 pm | |
| Igor Sysoev | May 21, 2010 11:06 pm | |
| Ian Evans | May 21, 2010 11:55 pm | |
| Igor Sysoev | May 22, 2010 12:53 am | |
| Ian M. Evans | May 22, 2010 2:42 am | |
| Igor Sysoev | May 22, 2010 3:06 am | |
| Ian M. Evans | May 22, 2010 3:16 am | |
| Igor Sysoev | May 22, 2010 3:22 am | |
| Ian M. Evans | May 22, 2010 3:49 am | |
| Ian M. Evans | May 22, 2010 5:13 am | |
| Igor Sysoev | May 22, 2010 5:23 am | |
| Ian M. Evans | May 22, 2010 5:44 am | |
| Ding Deng | May 22, 2010 6:23 am | |
| Michael Shadle | May 22, 2010 12:25 pm | |
| Ian M. Evans | May 22, 2010 3:26 pm | |
| Weibin Yao | May 23, 2010 8:19 pm | |
| Jérôme Loyet | May 23, 2010 11:56 pm | |
| Weibin Yao | May 24, 2010 1:13 am | |
| Eren Türkay | May 25, 2010 8:40 am | |
| gdork | Jan 26, 2011 8:06 pm | |
| Michael Shadle | Jan 26, 2011 8:13 pm | |
| Edho P Arief | Jan 26, 2011 9:22 pm | |
| Michael Shadle | Jan 26, 2011 10:03 pm | |
| tuurtnt | Dec 14, 2011 3:25 pm | |
| Kraiser | Feb 17, 2012 6:53 am | |
| Reinis Rozitis | Feb 17, 2012 8:39 am | |
| zsero | Oct 30, 2012 10:01 am |
| Subject: | Re: nginx 0day exploit for nginx + fastcgi PHP | |
|---|---|---|
| From: | Ian M. Evans (iane...@digitalhit.com) | |
| Date: | May 22, 2010 5:44:22 am | |
| List: | ru.sysoev.nginx | |
On 5/22/2010 8:24 AM, Igor Sysoev wrote:
On Sat, May 22, 2010 at 08:13:58AM -0400, Ian M. Evans wrote:
On 5/22/2010 6:49 AM, Ian M. Evans wrote:
On 5/22/2010 6:22 AM, Igor Sysoev wrote:
On Sat, May 22, 2010 at 06:17:26AM -0400, Ian M. Evans wrote:
Yep, the two locations you suggested: location ~ ^/(?P<SN>cr... and location ~ ^(?P<SN>.*/(cr...
I can not reproduce. Do you use 0.8.37 ?
Yes...I installed it last night and forgot to restart it, so the old version was still running. Once I finish banging my head on the desk, I'll disable the cgi.fix_pathinfo and make sure all is well.
Thanks, and I'll let you know the results.
Well, unfortunately, changing cgi.fix_pathinfo to cgi.fix_pathinfo=0 killed the extensionless php files, just like it did in 2008.
Here's a snippet from the debug log when it works (cgi.fix_pathinfo=1):
2010/05/22 07:50:51 [debug] 24492#0: *1153 http uri: "/academy/75/photos" 2010/05/22 07:50:51 [debug] 24492#0: *1153 http args: "" 2010/05/22 07:50:51 [debug] 24492#0: *1153 http exten: "" 2010/05/22 07:50:51 [debug] 24492#0: *1153 http process request header line ... 2010/05/22 07:50:51 [debug] 24492#0: *1153 test location: "/" 2010/05/22 07:50:51 [debug] 24492#0: *1153 test location: ~ "\.(shtml|php|inc)$" 2010/05/22 07:50:51 [debug] 24492#0: *1153 test location: ~ "^/(?P<SN>cr|evans|news|poll|posters|photos|profile|review|shop|evansabove|celebrityrow|torontofilmfestival)(?P<PI>/.*$|$)" 2010/05/22 07:50:51 [debug] 24492#0: *1153 test location: ~ "^/(?P<SN>galleries)(?P<PI>/.*$|$)" 2010/05/22 07:50:51 [debug] 24492#0: *1153 test location: ~ "^(?P<SN>.*/(cr|evans|news|poll|posters|photos|profile|review|shop|evansabove|test|profiles|reviews))(?P<PI>/.*$|$)" 2010/05/22 07:50:51 [debug] 24492#0: *1153 http regex set $pi to "" 2010/05/22 07:50:51 [debug] 24492#0: *1153 http regex set $sn to "/academy/75/photos" 2010/05/22 07:50:51 [debug] 24492#0: *1153 using configuration "^(?P<SN>.*/(cr|evans|news|poll|posters|photos|profile|review|shop|evansabove|test|profiles|reviews))(?P<PI>/.*$|$)" ... 2010/05/22 07:50:51 [debug] 24492#0: *1153 http script var: "/academy/75/photos" 2010/05/22 07:50:51 [debug] 24492#0: *1153 fastcgi param: "SCRIPT_FILENAME: /usr/local/apache/htdocs/academy/75/photos" 2010/05/22 07:50:51 [debug] 24492#0: *1153 http script copy: "PATH_INFO" 2010/05/22 07:50:51 [debug] 24492#0: *1153 http script var: "" 2010/05/22 07:50:51 [debug] 24492#0: *1153 fastcgi param: "PATH_INFO: " ... 2010/05/22 07:50:51 [debug] 24492#0: *1153 http finalize request: -4, "/academy/75/photos?" a:1, c:2 ... 2010/05/22 07:50:52 [debug] 24492#0: *1153 http fastcgi record length: 8184
And here's the same request failing when cgi.fix_pathinfo is turned off:
2010/05/22 07:53:18 [debug] 24492#0: *1196 http uri: "/academy/75/photos" 2010/05/22 07:53:18 [debug] 24492#0: *1196 http args: "" 2010/05/22 07:53:18 [debug] 24492#0: *1196 http exten: "" ... 2010/05/22 07:53:18 [debug] 24492#0: *1196 test location: ~ "\.(shtml|php|inc)$" 2010/05/22 07:53:18 [debug] 24492#0: *1196 test location: ~ "^/(?P<SN>cr|evans|news|poll|posters|photos|profile|review|shop|evansabove|celebrityrow|torontofilmfestival)(?P<PI>/.*$|$)" 2010/05/22 07:53:18 [debug] 24492#0: *1196 test location: ~ "^/(?P<SN>galleries)(?P<PI>/.*$|$)" 2010/05/22 07:53:18 [debug] 24492#0: *1196 test location: ~ "^(?P<SN>.*/(cr|evans|news|poll|posters|photos|profile|review|shop|evansabove|test|profiles|reviews))(?P<PI>/.*$|$)" 2010/05/22 07:53:18 [debug] 24492#0: *1196 http regex set $pi to "" 2010/05/22 07:53:18 [debug] 24492#0: *1196 http regex set $sn to "/academy/75/photos" 2010/05/22 07:53:18 [debug] 24492#0: *1196 using configuration "^(?P<SN>.*/(cr|evans|news|poll|posters|photos|profile|review|shop|evansabove|test|profiles|reviews))(?P<PI>/.*$|$)" ... 2010/05/22 07:53:18 [debug] 24492#0: *1196 http script var: "/academy/75/photos" 2010/05/22 07:53:18 [debug] 24492#0: *1196 fastcgi param: "SCRIPT_FILENAME: /usr/local/apache/htdocs/academy/75/photos" 2010/05/22 07:53:18 [debug] 24492#0: *1196 http script copy: "PATH_INFO" 2010/05/22 07:53:18 [debug] 24492#0: *1196 http script var: "" 2010/05/22 07:53:18 [debug] 24492#0: *1196 fastcgi param: "PATH_INFO: " ... 2010/05/22 07:53:18 [debug] 24492#0: *1196 http finalize request: -4, "/academy/75/photos?" a:1, c:2 ... 2010/05/22 07:53:18 [debug] 24492#0: *1196 http upstream request: "/academy/75/photos?" ... 2010/05/22 07:53:18 [debug] 24492#0: *1196 http finalize request: 404, "/academy/75/photos?" a:1, c:1 2010/05/22 07:53:18 [debug] 24492#0: *1196 http special response: 404, "/academy/75/photos?" 2010/05/22 07:53:18 [debug] 24492#0: *1196 internal redirect: "/dhe404.shtml?"
Thanks for any suggestions. What I find interesting (mind-boggling?) is that in both instances $pi, $sn, SCRIPT_FILENAME and PATH_INFO are the same yet one succeeds and the other tosses a 404.
If you request "/academy/75/photos/" with with cgi.fix_pathinfo=0, does it work ?
Adding the trailing slash still produced a 404.
2010/05/22 08:35:22 [debug] 24492#0: *1744 http uri: "/academy/75/photos/" 2010/05/22 08:35:22 [debug] 24492#0: *1744 http args: "" 2010/05/22 08:35:22 [debug] 24492#0: *1744 http exten: "" 2010/05/22 08:35:22 [debug] 24492#0: *1744 http process request header line 2010/05/22 08:35:22 [debug] 24492#0: *1744 test location: ~ "\.(shtml|php|inc)$" 2010/05/22 08:35:22 [debug] 24492#0: *1744 test location: ~ "^/(?P<SN>cr|evans|news|poll|posters|photos|profile|review|shop|evansabove|celebrityrow|torontofilmfestival)(?P<PI>/.*$|$)" 2010/05/22 08:35:22 [debug] 24492#0: *1744 test location: ~ "^/(?P<SN>galleries)(?P<PI>/.*$|$)" 2010/05/22 08:35:22 [debug] 24492#0: *1744 test location: ~ "^(?P<SN>.*/(cr|evans|news|poll|posters|photos|profile|review|shop|evansabove|test|profiles|reviews))(?P<PI>/.*$|$)" 2010/05/22 08:35:22 [debug] 24492#0: *1744 http regex set $pi to "/" 2010/05/22 08:35:22 [debug] 24492#0: *1744 http regex set $sn to "/academy/75/photos" 2010/05/22 08:35:22 [debug] 24492#0: *1744 using configuration "^(?P<SN>.*/(cr|evans|news|poll|posters|photos|profile|review|shop|evansabove|test|profiles|reviews))(?P<PI>/.*$|$)" 2010/05/22 08:35:22 [debug] 24492#0: *1744 http script copy: "SCRIPT_FILENAME" 2010/05/22 08:35:22 [debug] 24492#0: *1744 http script var: "/usr/local/apache/htdocs" 2010/05/22 08:35:22 [debug] 24492#0: *1744 http script var: "/academy/75/photos" 2010/05/22 08:35:22 [debug] 24492#0: *1744 fastcgi param: "SCRIPT_FILENAME: /usr/local/apache/htdocs/academy/75/photos" 2010/05/22 08:35:22 [debug] 24492#0: *1744 http script copy: "PATH_INFO" 2010/05/22 08:35:22 [debug] 24492#0: *1744 http script var: "/" 2010/05/22 08:35:22 [debug] 24492#0: *1744 fastcgi param: "PATH_INFO: /" 2010/05/22 08:35:22 [debug] 24492#0: *1744 http finalize request: -4, "/academy/75/photos/?" a:1, c:2 2010/05/22 08:35:22 [debug] 24492#0: *1744 http upstream request: "/academy/75/photos/?" 2010/05/22 08:35:22 [debug] 24492#0: *1744 http fastcgi header: "Status: 404 Not Found" 2010/05/22 08:35:22 [debug] 24492#0: *1744 http fastcgi parser: 0 2010/05/22 08:35:22 [debug] 24492#0: *1744 http fastcgi header: "X-Powered-By: PHP/5.2.5" 2010/05/22 08:35:22 [debug] 24492#0: *1744 http fastcgi parser: 0 2010/05/22 08:35:22 [debug] 24492#0: *1744 http fastcgi header: "Content-type: text/html" 2010/05/22 08:35:22 [debug] 24492#0: *1744 http fastcgi parser: 1 2010/05/22 08:35:22 [debug] 24492#0: *1744 http fastcgi header done 2010/05/22 08:35:22 [debug] 24492#0: *1744 finalize http upstream request: 404 2010/05/22 08:35:22 [debug] 24492#0: *1744 finalize http fastcgi request 2010/05/22 08:35:22 [debug] 24492#0: *1744 free rr peer 1 0 2010/05/22 08:35:22 [debug] 24492#0: *1744 close http upstream connection: 13 2010/05/22 08:35:22 [debug] 24492#0: *1744 event timer del: 13: 3221463051 2010/05/22 08:35:22 [debug] 24492#0: *1744 rtsig del connection: fd:13 2010/05/22 08:35:22 [debug] 24492#0: *1744 http finalize request: 404, "/academy/75/photos/?" a:1, c:1 2010/05/22 08:35:22 [debug] 24492#0: *1744 http special response: 404, "/academy/75/photos/?" 2010/05/22 08:35:22 [debug] 24492#0: *1744 internal redirect: "/dhe404.shtml?"
_______________________________________________ nginx mailing list ngi...@nginx.org http://nginx.org/mailman/listinfo/nginx