PT-2012-06: Security restrictions bypass in nginx for Windows Vulnerable softwarenginx for Windows Version: 1.2.0 and earlier, 1.3.0 and earlierApplication link: http://nginx.org/Severity levelSeverity level: Medium Impact: Security restrictions bypass Access Vector: Network exploitable CVSS v2: Base Score: 5.0 Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)CVE: CVE-2011-4963 Software descriptionnginx [engine x] is a HTTP server, reversed proxy server, and also mail proxy server.Vulnerability descriptionThe specialists of the Positive Research center have a vulnerability detected "Security restrictions bypass" in nginx for Windows.The system does not consider that NTFS allows users to address folders with extended syntax attribute, while matching the requested resource URL with locations defined in web server configuration. This allows attackers to bypass access restrictions set for static resources.Exploitationlocation ~/directory/ { deny all; }An attacker can bypass this restriction if he/she calls the resource as follows:"/directory:$i30:$INDEX_ALLOCATION/file" "/directory::$index_allocation/file" "/directory./file"How to fixUpdate your software up to the latest versionFor older versions the following configuration can be used as a workaround: location ~ "(\.|:\$)" { deny all; }Advisory status 15.05.2012 - Vendor is notified 15.05.2012 - Vendor gets vulnerability details 05.06.2012 - Vendor releases fixed version and details 07.06.2012 - Public disclosureCreditsThe vulnerability was discovered by Vladimir Kochetkov, Positive Research Center (Positive Technologies Company)Referenceshttp://en.securitylab.ru/lab/PT-2012-06 http://mailman.nginx.org/pipermail/nginx-announce/2012/000086.html Reports on the vulnerabilities previously discovered by Positive Research:http://ptsecurity.com/research/advisory/ http://en.securitylab.ru/lab/
