var-201005-0437
Vulnerability from variot
Nginx is a high-performance web server that is widely used. It is not only often used as a reverse proxy, but also very well supported for PHP. 80sec found that there is a more serious security problem. By default, any type of file may be parsed in PHP by server error. The attacker can execute arbitrary PHP code with WEB permission. Nginx supports php running by default in cgi mode, such as location ~ \.php$ {root html; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;include fastcgi_params; The } method supports the parsing of php. When the location selects the request, it uses the URI environment variable to select. The key variable SCRIPT_FILENAME passed to the backend Fastcgi is determined by the $fastcgi_script_name generated by nginx, and the analysis can be seen by $fastcgi_script_name It is directly controlled by the URI environment variable, here is the point where the problem occurs. In order to better support the extraction of PATH_INFO, the cgi.fix_pathinfo option exists in the PHP configuration options, the purpose is to extract the real script name from SCRIPT_FILENAME. So suppose there is a http://www.80sec.com/80sec.jpg, you can visit http://www.80sec.com/80sec.jpg/80sec.php in the following way. nginx is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input. Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks. The issue affects nginx 0.6.36 and prior
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201005-0437",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "nginx",
"scope": null,
"trust": 0.6,
"vendor": "nginx",
"version": null
},
{
"model": "sysoev nginx",
"scope": "eq",
"trust": 0.3,
"vendor": "igor",
"version": "0.6.36"
},
{
"model": "sysoev nginx",
"scope": "eq",
"trust": 0.3,
"vendor": "igor",
"version": "0.6.32"
},
{
"model": "sysoev nginx",
"scope": "eq",
"trust": 0.3,
"vendor": "igor",
"version": "0.6"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2010-0917"
},
{
"db": "BID",
"id": "40420"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "cp77fk4r",
"sources": [
{
"db": "BID",
"id": "40420"
}
],
"trust": 0.3
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Nginx is a high-performance web server that is widely used. It is not only often used as a reverse proxy, but also very well supported for PHP. 80sec found that there is a more serious security problem. By default, any type of file may be parsed in PHP by server error. The attacker can execute arbitrary PHP code with WEB permission. Nginx supports php running by default in cgi mode, such as location ~ \\\\.php$ {root html; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;include fastcgi_params; The } method supports the parsing of php. When the location selects the request, it uses the URI environment variable to select. The key variable SCRIPT_FILENAME passed to the backend Fastcgi is determined by the $fastcgi_script_name generated by nginx, and the analysis can be seen by $fastcgi_script_name It is directly controlled by the URI environment variable, here is the point where the problem occurs. In order to better support the extraction of PATH_INFO, the cgi.fix_pathinfo option exists in the PHP configuration options, the purpose is to extract the real script name from SCRIPT_FILENAME. So suppose there is a http://www.80sec.com/80sec.jpg, you can visit http://www.80sec.com/80sec.jpg/80sec.php in the following way. nginx is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input. \nExploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks. \nThe issue affects nginx 0.6.36 and prior",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2010-0917"
},
{
"db": "BID",
"id": "40420"
}
],
"trust": 0.81
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "BID",
"id": "40420",
"trust": 0.9
},
{
"db": "CNVD",
"id": "CNVD-2010-0917",
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2010-0917"
},
{
"db": "BID",
"id": "40420"
}
]
},
"id": "VAR-201005-0437",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2010-0917"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2010-0917"
}
]
},
"last_update_date": "2022-05-17T01:41:43.694000Z",
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 0.6,
"url": "http://www.80sec.com/nginx-securit.html"
},
{
"trust": 0.3,
"url": "http://nginx.org/"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2010-0917"
},
{
"db": "BID",
"id": "40420"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2010-0917"
},
{
"db": "BID",
"id": "40420"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2010-05-20T00:00:00",
"db": "CNVD",
"id": "CNVD-2010-0917"
},
{
"date": "2010-05-20T00:00:00",
"db": "BID",
"id": "40420"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2010-05-20T00:00:00",
"db": "CNVD",
"id": "CNVD-2010-0917"
},
{
"date": "2010-05-28T16:30:00",
"db": "BID",
"id": "40420"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "network",
"sources": [
{
"db": "BID",
"id": "40420"
}
],
"trust": 0.3
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Nginx file type error parsing vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2010-0917"
}
],
"trust": 0.6
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Input Validation Error",
"sources": [
{
"db": "BID",
"id": "40420"
}
],
"trust": 0.3
}
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.