Nginx is the web server that people use for speed. And I have published a guide on how you can auto install Nginx. Few days ago developers have discovered a serious buffer overflow vulnerability on Nginx versions 1.3.9 to 1.4.0. This is documented on CVE-2013-2028. According to the statement ,
Greg MacManus, of iSIGHT Partners Labs, found a security problem in several recent versions of nginx. A stack-based buffer overflow might occur in a worker process while handling a specially crafted request, potentially resulting in arbitrary code execution (CVE-2013-2028). The problem affects nginx 1.3.9 - 1.4.0. The problem is fixed in nginx 1.5.0, 1.4.1. Patch for the problem can be found here: http://nginx.org/download/patch.2013.chunked.txt As a temporary workaround the following configuration can be used in each server{} block: if ($http_transfer_encoding ~* chunked) { return 444; }
They says that successful exploitation will lead in to arbitrary code execution resulting the server to be completely exploited. So if you are running aforementioned versions of Nginx dont forget to update it to the latest available version which is 1.4.1 or latest development version which is 1.5.0
{ 0 comments… add one now }