nginx package in Lucid Lynx allows null byte vulnerability in certain configurations

Bug #783508 reported by Neal Poole on 2011-05-16
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nginx (Ubuntu)
Undecided
Steve Beattie

Bug Description

Binary package hint: nginx

The version of nginx provided in Lucid Lynx is out-of-date. In particular, it is missing a commit (r3528 from svn://svn.nginx.org) that modified how null bytes in the URI are handled. This commit was released as a part of nginx 0.7.66.

The current behavior is dangerous when nginx is acting as a web server in front of a FastCGI server (in particular, a PHP-FCGI server). By using the null byte to append a different extension (eg: .php) to the URI, an attacker can convince nginx to pass the full URI, including the null byte, through to the FastCGI server. In the case of PHP-FCGI, all of the data after the null byte is discarded. So for instance, http://example.org/uploads/file.jpg%00.php would cause http://example.org/uploads/file.jpg to be parsed as PHP. For sites where file uploads are allowed, this can lead to unintended arbitrary code execution.

This issue may affect nginx packages in other, older Ubuntu releases.

Jamie Strandboge (jdstrand) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

visibility: private → public
Changed in nginx (Ubuntu):
status: New → Triaged
Neal Poole (nealpoole) wrote :

OK. I've created a debdiff based on the changes made in r3528. I've never done this before, so let me know if I messed up anything. I'll also add another comment containing the original diff from SVN.

Neal Poole (nealpoole) wrote :

I'm attaching the patch which was generated by svn diff for r3528. This patch is what I used to build the debdiff. The patch applied cleanly except for the hunk in src/http/modules/perl/ngx_http_perl_module.c: there's an extra line of code in the patch (r->main->count++;) that isn't present in the Ubuntu code.

Marc Deslauriers (mdeslaur) wrote :

Subscribing ubuntu-security-sponsors so your debdiff will get reviewed.

Steve Beattie (sbeattie) wrote :

Thanks for generating the debdiff, I'll review.

Changed in nginx (Ubuntu):
assignee: nobody → Steve Beattie (sbeattie)
Steve Beattie (sbeattie) wrote :

Neal, thanks again for submitting this. I've reviewed the patch, cleaned up the distro target, version, and changelog entry to conform better to https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging , adjusted the quilt header a bit, built, and performed some testing on the package. It should make it to the security pocket in a little bit.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 0.7.65-1ubuntu2.1

---------------
nginx (0.7.65-1ubuntu2.1) lucid-security; urgency=low

  * SECURITY UPDATE:
    - debian/patches/nginx-null_byte_in_urls.patch: Merge r3528 from
      upstream repository to mitigate potential null byte vulnerability
      (LP: #783508)
 -- Neal Poole <email address hidden> Fri, 17 Jun 2011 20:44:44 -0400

Changed in nginx (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers