docker icon indicating copy to clipboard operation
docker copied to clipboard
verified publisher icon wallabag

Nginx security: please check if config is save

Open saschafoerster opened this issue 6 years ago • 2 comments

Some days ago, vulnerabilities in certain Nginx-configs have been reported: https://nvd.nist.gov/vuln/detail/CVE-2019-11043 https://bugs.php.net/bug.php?id=78599 https://de.tenable.com/blog/cve-2019-11043-vulnerability-in-php-fpm-could-lead-to-remote-code-execution-on-nginx

I am not shure, if wallabags configuration is unsafe, but it resembles in some way to described fields of problems: https://github.com/wallabag/wallabag/blob/master/docker/nginx/nginx.conf, for instance it contains: "fastcgi_split_path_info ^(.+?.php)(/.*)$;"

saschafoerster avatar Nov 03 '19 22:11 saschafoerster

I think it might be OK since it includes a try_files directive, though not sure if that would need to be tightened since it includes $args?

https://github.com/wallabag/wallabag/blob/3b79c1ac4e72ff6fbd2beaa09be7e5f7085bfb8b/docker/nginx/nginx.conf#L44

I don't have a way to test since I use nginx only as a reverse proxy to Apache, which handles php with mod_php instead of php-fpm. However if someone's using nginx+php-fpm, they can test to see if it's vulnerable with this PoC:

https://github.com/neex/phuip-fpizdam

4oo4 avatar Nov 04 '19 19:11 4oo4

The config is here: https://github.com/wallabag/docker/blob/f86d945624865dcb4fa1d2d6a53b54b77285221b/root/etc/nginx/nginx.conf

If someone can test if the config is vulnerable 👍

j0k3r avatar Nov 12 '19 13:11 j0k3r