【转贴】Nginx %00空字节执行任意代码(php)漏洞
转自http://www.hostloc.com/thread-73374-1-1.html影响版本:
nginx 0.5.*
nginx 0.6.*
nginx 0.7 <= 0.7.65
nginx 0.8 <= 0.8.37
漏洞描述:
Possible Arbitrary Code Execution with Null Bytes, PHP, and Old Versions of nginx
Ngnix在遇到%00空字节时与后端FastCGI处理不一致,导致可以在图片中嵌入PHP代码然后通过访问xxx.jpg%00.php来执行其中的代码
In vulnerable versions of nginx, null bytes are allowed in URIs by default (their presence is indicated via a variable named zero_in_uri defined in ngx_http_request.h).
Individual modules have the ability to opt-out of handling URIs with null bytes. However, not all of them do; in particular, the FastCGI module does not.
<*参考
https://nealpoole.com/blog/2011/ ... -versions-of-nginx/
*>
测试方法:
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
The attack itself is simple: a malicious user who makes a request to http://example.com/file.ext%00.php causes file.ext to be parsed as PHP.
If an attacker can control the contents of a file served up by nginx (ie: using an avatar upload form) the result is arbitrary code execution. This vulnerability can not be mitigated by nginx configuration settings like try_files or PHP configuration settings like cgi.fix_pathinfo: the only defense is to upgrade to a newer version of nginx or to explicitly block potentially malicious requests to directories containing user-controlled content.
SEBUG安全建议:
解决方案
升级nginx版本
http://nginx.org 军哥,这个会不会影响lnmpa
使用升级工具不能升级。。出现以下提示。我用DEBIAN
1.1.1.tar.gz not found!!!download now......
--2011-08-26 21:50:19--http://nginx.org/download/nginx-%0D1.1.1.tar.gz
Resolving nginx.org... 206.251.255.63
Connecting to nginx.org|206.251.255.63|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2011-08-26 21:50:20 ERROR 404: Not Found.
WARNING!May be the nginx version you input was wrong,please check!
1.1.1 Version input was:
[ 本帖最后由 咖啡 于 2011-8-26 21:54 编辑 ]
回复 2# 的帖子
你输入的有问题 原帖由 licess 于 2011-8-26 16:00 发表 https://bbs.vpser.net/images/common/back.gif你输入的有问题
这个是最新爆的漏洞吗 ?
我还是7.6.7的 看不懂是不是在这个范围之类
如果是的话 怎么升级呢?
求军哥解答
回复 4# 的帖子
nginx 0.7 <= 0.7.65nginx 0.8 <= 0.8.37
0.7.67不在范围内
升级:https://www.vpser.net/build/lnmp-auto-upgrade-nginx-to-any-version.html 原帖由 licess 于 2011-8-27 02:42 发表 https://bbs.vpser.net/images/common/back.gif
nginx 0.7
太棒了 谢谢军哥!!!!:victory::lol
页:
[1]