[NOT I-MSCP RELATED] NGiNX

A vulnerability has been discovered in all the latest releases of NGiNX.

This is a quote from Securityfocus.com

Quote

Website: http://safe3.com.cn

I. BACKGROUND
---------------------

Nginx is an HTTP and reverse proxy server, as well as a mail proxy server, written by Igor Sysoev. For a long time, it has been running on many heavily loaded Russian sites including Yandex, Mail.Ru, VKontakte, and Rambler. According to Netcraft nginx served or proxied 12.96% busiest sites in April 2013. Here are some of the success stories: Netflix, Wordpress.com, FastMail.FM.

II. DESCRIPTION
---------------------

Qihoo 360 Web Security Research Team discovered a critical vulnerability in nginx.

The vulnerability is caused by a int overflow error within the Nginx
ngx_http_close_connection function when r->count is less then 0 or more then 255, which could be exploited
by remote attackers to compromise a vulnerable system via malicious http requests.

III. AFFECTED PRODUCTS
---------------------------

Nginx all latest version

IV. Exploits/PoCs
---------------------------------------

In-depth technical analysis of the vulnerability and a fully functional remote code execution exploit are available through the safe3q (at) gmail (dot) com [email concealed]
In src\http\ngx_http_request_body.c ngx_http_discard_request_body function,we can make r->count++.

V. VUPEN Threat Protection Program
-----------------------------------

VI. SOLUTION
----------------

Validate the r->count input.

VII. CREDIT
--------------

This vulnerability was discovered by Safe3 of Qihoo 360.

VIII. ABOUT Qihoo 360
---------------------------

Qihoo 360 is the leading provider of defensive and offensive web cloud security of China.

IX. REFERENCES
----------------------
http://nginx.org/en/

Display More

Source: Securityfocus.com

I will update this thread as soon as more information is out.

First response from the NGiNX team so far:

Quote

Unfortunately we weren't approached by "Qihoo 360 Web Security Research Team"
before this publication went out through bugtraq.

We are now trying to obtain more information from that team without much success.

We've also analyzed their report and we can't conclude this is a real vulnerability yet.
From the descriptions provided it still looks like it's somewhat spurious.

We are trying to continue investigation though.

Regrettably responsible disclosure isn't always the case. However, we can't yet confirm
it's a full one either.

Display More

As it seems they can't get this 100% confirmed and the reporting person/team didn't go through the correct channels.

Still waiting for a valid response if this is a real threat or false.

Source: Openwall.com

The NGiNX team can not confirm this vulnerability. A last statement from the team:

Quote

We've been also directly approached by Qihoo team couple of days ago.

After a thorough examination we can tell the following:

http://mailman.nginx.org/piper…nx/2013-April/038701.html

Basically, we believe that nginx code distributed by Nginx Inc. is not affected by
the above mentioned report.

Display More

Source: Openwall.com

This probably means it can be related to a package provided by a distribution or an alternative mirror like dotdeb (.deb, .rpm etc) , which one is unknown.

The threat is real, and nginx have released a fix. Read more on their website.

Sent from my GT-I9300 using Tapatalk 2