[WEB SECURITY] Attack via space in filename on nginx

MustLive mustlive at websecurity.com.ua
Fri Nov 29 16:50:37 EST 2013


Hello participants of Mailing List.

Last week I wrote new article. And I'll tell you briefly about conducting
Code Execution attack on nginx web server. These topic should be interesting
for you (especially for those, who haven't read it before).

Earlier I wrote about three bypass methods of code execution via uploaders.
Wrote about them in different advisories and in my 2011's article Attack via
double extensions in Apache (http://websecurity.com.ua/5600/). In my article
I've described two methods of attack on IIS (briefly with links to
advisories, where these attacks were introduced) and in details described a
method of attack on Apache with using double extensions. And now I'll
describe fourth method of attack, which works on nginx.

Attack via space in filename on nginx
http://websecurity.com.ua/6887/

Recently vulnerability in nginx (CVE-2013-4547) was disclosed, which is
fixed in versions nginx 1.4.4 and 1.5.7. Vulnerable are versions nginx
0.8.41 - 1.5.6.

Code Execution attack on nginx:

1. Upload a file with space in the end "file " via uploader. E.g.
php-script.

2. Make request to this file at web site in such way: "http://site/file
\0.php". It will lead to execution of php-script.

The attack will work only at special settings of web server (described in 
the article). But still it's interesting attack vector.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 





More information about the websecurity mailing list