Vulnerabilities > CVE-2013-4547 - Improper Encoding or Escaping of Output vulnerability in multiple products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
f5
suse
opensuse
CWE-116
nessus
exploit available

Summary

nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescaped space character in a URI.

Vulnerable Configurations

Part Description Count
Application
F5
97
Application
Suse
3
OS
Opensuse
4

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Cross Zone Scripting
    An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
  • Embedding Scripts in Non-Script Elements
    This attack is a form of Cross-Site Scripting (XSS) where malicious scripts are embedded in elements that are not expected to host scripts such as image tags (<img>), comments in XML documents (< !-CDATA->), etc. These tags may not be subject to the same input validation, output validation, and other content filtering and checking routines, so this can create an opportunity for an attacker to tunnel through the application's elements and launch a XSS attack through other elements. As with all remote attacks, it is important to differentiate the ability to launch an attack (such as probing an internal network for unpatched servers) and the ability of the remote attacker to collect and interpret the output of said attack.
  • Simple Script Injection
    An attacker embeds malicious scripts in content that will be served to web browsers. The goal of the attack is for the target software, the client-side browser, to execute the script with the users' privilege level. An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute code and scripts. Web browsers, for example, have some simple security controls in place, but if a remote attacker is allowed to execute scripts (through injecting them in to user-generated content like bulletin boards) then these controls may be bypassed. Further, these attacks are very difficult for an end user to detect.
  • User-Controlled Filename
    An attack of this type involves an attacker inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.
  • Web Logs Tampering
    Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.

Exploit-Db

descriptionnginx 1.1.17 URI Processing Security Bypass Vulnerability. CVE-2013-4547. Remote exploits for multiple platform
idEDB-ID:38846
last seen2016-02-04
modified2013-11-19
published2013-11-19
reporterIvan Fratric
sourcehttps://www.exploit-db.com/download/38846/
titlenginx <= 1.1.17 URI Processing Security Bypass Vulnerability

Nessus

  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2013-249.NASL
    descriptionnginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescaped space character in a URI.
    last seen2020-06-01
    modified2020-06-02
    plugin id71266
    published2013-12-10
    reporterThis script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/71266
    titleAmazon Linux AMI : nginx (ALAS-2013-249)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Amazon Linux AMI Security Advisory ALAS-2013-249.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(71266);
      script_version("1.4");
      script_cvs_date("Date: 2018/04/18 15:09:35");
    
      script_cve_id("CVE-2013-4547");
      script_xref(name:"ALAS", value:"2013-249");
    
      script_name(english:"Amazon Linux AMI : nginx (ALAS-2013-249)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Amazon Linux AMI host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote
    attackers to bypass intended restrictions via an unescaped space
    character in a URI."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://alas.aws.amazon.com/ALAS-2013-249.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Run 'yum update nginx' to update your system."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:nginx");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:nginx-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2013/12/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/12/10");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.");
      script_family(english:"Amazon Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/AmazonLinux/release");
    if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
    os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
    os_ver = os_ver[1];
    if (os_ver != "A")
    {
      if (os_ver == 'A') os_ver = 'AMI';
      audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver);
    }
    
    if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (rpm_check(release:"ALA", reference:"nginx-1.4.3-1.14.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"nginx-debuginfo-1.4.3-1.14.amzn1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nginx / nginx-debuginfo");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2013-913.NASL
    descriptionThe nginx webserver was fixed to avoid a restriction bypass when a space in not correctly escaped. (CVE-2013-4547)
    last seen2020-06-05
    modified2014-06-13
    plugin id75218
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/75218
    titleopenSUSE Security Update : nginx-1.0 (openSUSE-SU-2013:1791-1)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2013-913.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(75218);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2013-4547");
    
      script_name(english:"openSUSE Security Update : nginx-1.0 (openSUSE-SU-2013:1791-1)");
      script_summary(english:"Check for the openSUSE-2013-913 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The nginx webserver was fixed to avoid a restriction bypass when a
    space in not correctly escaped. (CVE-2013-4547)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=851295"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.opensuse.org/opensuse-updates/2013-11/msg00118.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected nginx-1.0 packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nginx-1.0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nginx-1.0-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nginx-1.0-debugsource");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:12.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2013/11/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE12\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "12.2", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE12.2", reference:"nginx-1.0-1.0.15-3.4.1") ) flag++;
    if ( rpm_check(release:"SUSE12.2", reference:"nginx-1.0-debuginfo-1.0.15-3.4.1") ) flag++;
    if ( rpm_check(release:"SUSE12.2", reference:"nginx-1.0-debugsource-1.0.15-3.4.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nginx-1.0");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-2802.NASL
    descriptionIvan Fratric of the Google Security Team discovered a bug in nginx, a web server, which might allow an attacker to bypass security restrictions by using a specially crafted request. The oldstable distribution (squeeze) is not affected by this problem.
    last seen2020-03-17
    modified2013-11-25
    plugin id71055
    published2013-11-25
    reporterThis script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/71055
    titleDebian DSA-2802-1 : nginx - restriction bypass
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-2802. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(71055);
      script_version("1.9");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2013-4547");
      script_bugtraq_id(63814);
      script_xref(name:"DSA", value:"2802");
    
      script_name(english:"Debian DSA-2802-1 : nginx - restriction bypass");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Ivan Fratric of the Google Security Team discovered a bug in nginx, a
    web server, which might allow an attacker to bypass security
    restrictions by using a specially crafted request.
    
    The oldstable distribution (squeeze) is not affected by this problem."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=730012"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/wheezy/nginx"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2013/dsa-2802"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the nginx packages.
    
    For the stable distribution (wheezy), this problem has been fixed in
    version 1.2.1-2.2+wheezy2."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:nginx");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2013/11/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/11/25");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"7.0", prefix:"nginx", reference:"1.2.1-2.2+wheezy2")) flag++;
    if (deb_check(release:"7.0", prefix:"nginx-common", reference:"1.2.1-2.2+wheezy2")) flag++;
    if (deb_check(release:"7.0", prefix:"nginx-doc", reference:"1.2.1-2.2+wheezy2")) flag++;
    if (deb_check(release:"7.0", prefix:"nginx-extras", reference:"1.2.1-2.2+wheezy2")) flag++;
    if (deb_check(release:"7.0", prefix:"nginx-extras-dbg", reference:"1.2.1-2.2+wheezy2")) flag++;
    if (deb_check(release:"7.0", prefix:"nginx-full", reference:"1.2.1-2.2+wheezy2")) flag++;
    if (deb_check(release:"7.0", prefix:"nginx-full-dbg", reference:"1.2.1-2.2+wheezy2")) flag++;
    if (deb_check(release:"7.0", prefix:"nginx-light", reference:"1.2.1-2.2+wheezy2")) flag++;
    if (deb_check(release:"7.0", prefix:"nginx-light-dbg", reference:"1.2.1-2.2+wheezy2")) flag++;
    if (deb_check(release:"7.0", prefix:"nginx-naxsi", reference:"1.2.1-2.2+wheezy2")) flag++;
    if (deb_check(release:"7.0", prefix:"nginx-naxsi-dbg", reference:"1.2.1-2.2+wheezy2")) flag++;
    if (deb_check(release:"7.0", prefix:"nginx-naxsi-ui", reference:"1.2.1-2.2+wheezy2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2013-882.NASL
    descriptionThe nginx webserver was fixed to avoid a restriction bypass when a space in not correctly escaped. (CVE-2013-4547) On openSUSE 12.2, nginx was updated to version 1.4.4 stable - CVE-2013-4547 a character following an unescaped space in a request line was handled incorrectly [bnc#851295] - bugfix: segmentation fault might occur in the spdy module - bugfix: segmentation fault might occur on start if if the
    last seen2020-06-05
    modified2014-06-13
    plugin id75210
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/75210
    titleopenSUSE Security Update : nginx (openSUSE-SU-2013:1745-1)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2013-882.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(75210);
      script_version("1.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2013-4547");
      script_bugtraq_id(63814);
    
      script_name(english:"openSUSE Security Update : nginx (openSUSE-SU-2013:1745-1)");
      script_summary(english:"Check for the openSUSE-2013-882 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The nginx webserver was fixed to avoid a restriction bypass when a
    space in not correctly escaped. (CVE-2013-4547)
    
    On openSUSE 12.2, nginx was updated to version 1.4.4 stable 
    
      - CVE-2013-4547 a character following an unescaped space
        in a request line was handled incorrectly [bnc#851295]
    
      - bugfix: segmentation fault might occur in the spdy
        module
    
      - bugfix: segmentation fault might occur on start if if
        the 'try_files' directive was used with an empty
        parameter."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=851295"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.opensuse.org/opensuse-updates/2013-11/msg00084.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected nginx packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nginx");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nginx-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nginx-debugsource");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:12.3");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2013/11/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE12\.3|SUSE13\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "12.3 / 13.1", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE12.3", reference:"nginx-1.2.9-3.8.1") ) flag++;
    if ( rpm_check(release:"SUSE12.3", reference:"nginx-debuginfo-1.2.9-3.8.1") ) flag++;
    if ( rpm_check(release:"SUSE12.3", reference:"nginx-debugsource-1.2.9-3.8.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"nginx-1.4.4-3.5.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"nginx-debuginfo-1.4.4-3.5.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"nginx-debugsource-1.4.4-3.5.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nginx");
    }
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_94B6264A514011E38B22F0DEF16C5C1B.NASL
    descriptionThe nginx project reports : Ivan Fratric of the Google Security Team discovered a bug in nginx, which might allow an attacker to bypass security restrictions in certain configurations by using a specially crafted request, or might have potential other impact (CVE-2013-4547).
    last seen2020-06-01
    modified2020-06-02
    plugin id70965
    published2013-11-20
    reporterThis script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/70965
    titleFreeBSD : nginx -- Request line parsing vulnerability (94b6264a-5140-11e3-8b22-f0def16c5c1b)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2018 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(70965);
      script_version("1.4");
      script_cvs_date("Date: 2018/11/10 11:49:43");
    
      script_cve_id("CVE-2013-4547");
    
      script_name(english:"FreeBSD : nginx -- Request line parsing vulnerability (94b6264a-5140-11e3-8b22-f0def16c5c1b)");
      script_summary(english:"Checks for updated packages in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote FreeBSD host is missing one or more security-related
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The nginx project reports :
    
    Ivan Fratric of the Google Security Team discovered a bug in nginx,
    which might allow an attacker to bypass security restrictions in
    certain configurations by using a specially crafted request, or might
    have potential other impact (CVE-2013-4547)."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://mailman.nginx.org/pipermail/nginx-announce/2013/000125.html"
      );
      # https://vuxml.freebsd.org/freebsd/94b6264a-5140-11e3-8b22-f0def16c5c1b.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?1ff1285c"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:nginx");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:nginx-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2013/11/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2013/11/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/11/20");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"nginx>=0.8.41<1.4.4,1")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"nginx-devel>=0.8.41<1.5.7")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyWeb Servers
    NASL idNGINX_1_5_7.NASL
    descriptionAccording to the self-reported version in the Server response header, the installed version of nginx is greater than 0.8.41 but prior to 1.4.4 / 1.5.7. It is, therefore, affected by a security bypass vulnerability in
    last seen2020-05-09
    modified2013-11-27
    plugin id71117
    published2013-11-27
    reporterThis script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/71117
    titlenginx < 1.4.4 / 1.5.7 ngx_parse_http Security Bypass
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include('compat.inc');
    
    if (description)
    {
      script_id(71117);
      script_version("1.9");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/08");
    
      script_cve_id("CVE-2013-4547");
      script_bugtraq_id(63814);
    
      script_name(english:"nginx < 1.4.4 / 1.5.7 ngx_parse_http Security Bypass");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote web server is affected by a security bypass
    vulnerability.");
      script_set_attribute(attribute:"description", value:
    "According to the self-reported version in the Server response header,
    the installed version of nginx is greater than 0.8.41 but prior to 1.4.4
    / 1.5.7.  It is, therefore, affected by a security bypass vulnerability
    in 'ngx_http_parse.c' when a file with a space at the end of the URI is
    requested.");
      script_set_attribute(attribute:"see_also", value:"http://nginx.org/en/security_advisories.html");
      script_set_attribute(attribute:"see_also", value:"http://mailman.nginx.org/pipermail/nginx-announce/2013/000125.html");
      script_set_attribute(attribute:"see_also", value:"http://nginx.org/en/CHANGES-1.4");
      script_set_attribute(attribute:"see_also", value:"http://nginx.org/en/CHANGES");
      script_set_attribute(attribute:"solution", value:
    "Either apply the patch manually or upgrade to nginx 1.4.4 / 1.5.7 or
    later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-4547");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2013/11/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2013/11/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/11/27");
    
      script_set_attribute(attribute:"plugin_type", value:"combined");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:igor_sysoev:nginx");
      script_set_attribute(attribute:"agent", value:"unix");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Web Servers");
    
      script_copyright(english:"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("nginx_detect.nasl", "nginx_nix_installed.nbin");
      script_require_keys("installed_sw/nginx"); 
      exit(0);
    }
    
    include('http.inc');
    include('vcf.inc');
    
    appname = 'nginx';
    get_install_count(app_name:appname, exit_if_zero:TRUE);
    app_info = vcf::combined_get_app_info(app:appname);
    
    vcf::check_granularity(app_info:app_info, sig_segments:3);
    # If the detection is only remote, Detection Method won't be set, and we should require paranoia
    if (empty_or_null(app_info['Detection Method']) && report_paranoia < 2)
      audit(AUDIT_PARANOID);
    
    constraints = [
      {'fixed_version' : '1.4.4', 'min_version' : '0.8.41'},
      {'fixed_version' : '1.5.6', 'min_version' : '1.5.0'}];
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2013-22026.NASL
    description - Update to the latest version - Upstream changelog can be found at http://nginx.org/en/CHANGES-1.4 - Security fix BZ 1032267 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2013-12-14
    plugin id71405
    published2013-12-14
    reporterThis script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/71405
    titleFedora 20 : nginx-1.4.4-1.fc20 (2013-22026)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2013-21826.NASL
    description - Update to the latest version - Upstream changelog can be found at http://nginx.org/en/CHANGES-1.4 - Security fix BZ 1032267 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2013-12-02
    plugin id71147
    published2013-12-02
    reporterThis script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/71147
    titleFedora 19 : nginx-1.4.4-1.fc19 (2013-21826)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2013-281.NASL
    descriptionUpdated nginx package fixes security vulnerability : Ivan Fratric of the Google Security Team discovered a bug in nginx, which might allow an attacker to bypass security restrictions in certain configurations by using a specially crafted request, or might have potential other impact (CVE-2013-4547).
    last seen2020-06-01
    modified2020-06-02
    plugin id71076
    published2013-11-25
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/71076
    titleMandriva Linux Security Advisory : nginx (MDVSA-2013:281)