Eric,
On Sat, Jun 1, 2013 at 7:23 AM, Eric Shubert <
ejs@shubes.net> wrote:
> On 05/31/2013 05:41 PM, Lisa Kachold wrote:
>
>> Nginx has some pretty serious security issues, so be sure that you
>> implement it with all the patches and complete recommendations:
>>
>> http://nginx.org/en/security_**advisories.htmlÂ<http://nginx.org/en/security_advisories.html%C3%82>
>>
>
> The current version in CentOS4 is not susceptible to any of these
> vulnerabilities. Good to check though.
Yes, Shubes! Don't even blink! Every day another exploit is announced!
excerpts:
Anonymous hackers behind the Cdorked malware that targets Apache servers
now have extended their exploit to infect open-source Nginx and Lighttpd
server software.
http://blog.solidshellsecurity.com/2013/04/29/nginx-ngx_http_close_connection-function-integer-overflow-exploit-patch/
This integer overflow fails over so you can do just about whatever you
like; especially with the right tools:
http://exploitsdownload.com/search/nginx/
Old stuff from 2010: "A noobs guide to hacking Nginx"
http://hoisie.com/2010/12/29/a-cool-example-of-hacking-nginx/
Nginx Tuesday announced the release of nginx-1.4.1 <
http://nginx.org/en/> --
as well as "development version" nginx-1.5.0 -- to fix a buffer-overflow
vulnerability that attackers could exploit to execute arbitrary code on a
Ngnix server and completely compromise it. In a security
advisory<
http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html>
issued
Tuesday, Nginx said the
bug<
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2028> is
present in Nginx versions 1.3.9 and 1.4.0. "The problem is fixed in nginx
1.5.0 [and] 1.4.1," it said.
Yes, installing from repo (with Redhat/CentOs/Fedora and uBuntu) means that
if a vulnerability exists with a patch available, the Nginx installed is
going to include that security fix.
CentOs/Redhat (and Ubuntu) are so fast with fixing vulnerabilities ( and
the Nginx security issues are all the standard browser stack vulns (stack
smash, XSS, remote code execution, escalated privs). Of course there are
also a few implementation security issues - that seem like nice hacks on
the front side until - well, your site is defaced:
http://www.theadminzone.com/forums/showthread.php?t=99536
It's really rather outrageous that Apache has dominated this space for so
long, when slimmed down httpd servers and reverse proxies do the job so
much better, especially in 3/4 tiered environments with J2EE, is it not?
Nginx:
http://blog.solidshellsecurity.com/2013/04/29/nginx-ngx_http_close_connection-function-integer-overflow-exploit-patch/
I personally still favor the custom compiled Apache2 with vastly scaled
down binary size (dynamic module stripping) and custom server signature
[replacing "Apache2 $version" with "$customstring $version" which IS
allowed under the Apache2 license] (to reduce fingerprinting - and
therefore also limit script kiddies - if we can't mitigate everything let's
obfuscate!.
>
>
> --
> -Eric 'shubes'
> ------------------------------**---------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.**org<PLUG-discuss@lists.phxlinux.org>
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/**mailman/listinfo/plug-discuss<http://lists.phxlinux.org/mailman/listinfo/plug-discuss>
>
--
(503) 754-4452 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
it-clowns.com <
http://it-clowns.com/d/>
Chief Clown
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss
(text/plain)