Eric, On Sat, Jun 1, 2013 at 7:23 AM, Eric Shubert wrote: > On 05/31/2013 05:41 PM, Lisa Kachold wrote: > >> Nginx has some pretty serious security issues, so be sure that you >> implement it with all the patches and complete recommendations: >> >> http://nginx.org/en/security_**advisories.html >> > > The current version in CentOS4 is not susceptible to any of these > vulnerabilities. Good to check though. Yes, Shubes! Don't even blink! Every day another exploit is announced! excerpts: Anonymous hackers behind the Cdorked malware that targets Apache servers now have extended their exploit to infect open-source Nginx and Lighttpd server software. http://blog.solidshellsecurity.com/2013/04/29/nginx-ngx_http_close_connection-function-integer-overflow-exploit-patch/ This integer overflow fails over so you can do just about whatever you like; especially with the right tools: http://exploitsdownload.com/search/nginx/ Old stuff from 2010: "A noobs guide to hacking Nginx" http://hoisie.com/2010/12/29/a-cool-example-of-hacking-nginx/ Nginx Tuesday announced the release of nginx-1.4.1 -- as well as "development version" nginx-1.5.0 -- to fix a buffer-overflow vulnerability that attackers could exploit to execute arbitrary code on a Ngnix server and completely compromise it. In a security advisory issued Tuesday, Nginx said the bug is present in Nginx versions 1.3.9 and 1.4.0. "The problem is fixed in nginx 1.5.0 [and] 1.4.1," it said. Yes, installing from repo (with Redhat/CentOs/Fedora and uBuntu) means that if a vulnerability exists with a patch available, the Nginx installed is going to include that security fix. CentOs/Redhat (and Ubuntu) are so fast with fixing vulnerabilities ( and the Nginx security issues are all the standard browser stack vulns (stack smash, XSS, remote code execution, escalated privs). Of course there are also a few implementation security issues - that seem like nice hacks on the front side until - well, your site is defaced: http://www.theadminzone.com/forums/showthread.php?t=99536 It's really rather outrageous that Apache has dominated this space for so long, when slimmed down httpd servers and reverse proxies do the job so much better, especially in 3/4 tiered environments with J2EE, is it not? Nginx: http://blog.solidshellsecurity.com/2013/04/29/nginx-ngx_http_close_connection-function-integer-overflow-exploit-patch/ I personally still favor the custom compiled Apache2 with vastly scaled down binary size (dynamic module stripping) and custom server signature [replacing "Apache2 $version" with "$customstring $version" which IS allowed under the Apache2 license] (to reduce fingerprinting - and therefore also limit script kiddies - if we can't mitigate everything let's obfuscate!. > > > -- > -Eric 'shubes' > ------------------------------**--------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.**org > To subscribe, unsubscribe, or to change your mail settings: > http://lists.phxlinux.org/**mailman/listinfo/plug-discuss > -- (503) 754-4452 Android (623) 239-3392 Skype (623) 688-3392 Google Voice ** it-clowns.com Chief Clown