Vulnerabilities > CVE-2013-4547 - Improper Encoding or Escaping of Output vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescaped space character in a URI.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Cross Zone Scripting An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
- Embedding Scripts in Non-Script Elements This attack is a form of Cross-Site Scripting (XSS) where malicious scripts are embedded in elements that are not expected to host scripts such as image tags (<img>), comments in XML documents (< !-CDATA->), etc. These tags may not be subject to the same input validation, output validation, and other content filtering and checking routines, so this can create an opportunity for an attacker to tunnel through the application's elements and launch a XSS attack through other elements. As with all remote attacks, it is important to differentiate the ability to launch an attack (such as probing an internal network for unpatched servers) and the ability of the remote attacker to collect and interpret the output of said attack.
- Simple Script Injection An attacker embeds malicious scripts in content that will be served to web browsers. The goal of the attack is for the target software, the client-side browser, to execute the script with the users' privilege level. An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute code and scripts. Web browsers, for example, have some simple security controls in place, but if a remote attacker is allowed to execute scripts (through injecting them in to user-generated content like bulletin boards) then these controls may be bypassed. Further, these attacks are very difficult for an end user to detect.
- User-Controlled Filename An attack of this type involves an attacker inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.
- Web Logs Tampering Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.
Exploit-Db
| description | nginx 1.1.17 URI Processing Security Bypass Vulnerability. CVE-2013-4547. Remote exploits for multiple platform |
| id | EDB-ID:38846 |
| last seen | 2016-02-04 |
| modified | 2013-11-19 |
| published | 2013-11-19 |
| reporter | Ivan Fratric |
| source | https://www.exploit-db.com/download/38846/ |
| title | nginx <= 1.1.17 URI Processing Security Bypass Vulnerability |
Nessus
NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2013-249.NASL description nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescaped space character in a URI. last seen 2020-06-01 modified 2020-06-02 plugin id 71266 published 2013-12-10 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/71266 title Amazon Linux AMI : nginx (ALAS-2013-249) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Amazon Linux AMI Security Advisory ALAS-2013-249. # include("compat.inc"); if (description) { script_id(71266); script_version("1.4"); script_cvs_date("Date: 2018/04/18 15:09:35"); script_cve_id("CVE-2013-4547"); script_xref(name:"ALAS", value:"2013-249"); script_name(english:"Amazon Linux AMI : nginx (ALAS-2013-249)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Amazon Linux AMI host is missing a security update." ); script_set_attribute( attribute:"description", value: "nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescaped space character in a URI." ); script_set_attribute( attribute:"see_also", value:"https://alas.aws.amazon.com/ALAS-2013-249.html" ); script_set_attribute( attribute:"solution", value:"Run 'yum update nginx' to update your system." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:nginx"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:nginx-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2013/12/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/12/10"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc."); script_family(english:"Amazon Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/AmazonLinux/release"); if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux"); os_ver = pregmatch(pattern: "^AL(A|\d)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux"); os_ver = os_ver[1]; if (os_ver != "A") { if (os_ver == 'A') os_ver = 'AMI'; audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver); } if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (rpm_check(release:"ALA", reference:"nginx-1.4.3-1.14.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"nginx-debuginfo-1.4.3-1.14.amzn1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nginx / nginx-debuginfo"); }NASL family SuSE Local Security Checks NASL id OPENSUSE-2013-913.NASL description The nginx webserver was fixed to avoid a restriction bypass when a space in not correctly escaped. (CVE-2013-4547) last seen 2020-06-05 modified 2014-06-13 plugin id 75218 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75218 title openSUSE Security Update : nginx-1.0 (openSUSE-SU-2013:1791-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2013-913. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(75218); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2013-4547"); script_name(english:"openSUSE Security Update : nginx-1.0 (openSUSE-SU-2013:1791-1)"); script_summary(english:"Check for the openSUSE-2013-913 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "The nginx webserver was fixed to avoid a restriction bypass when a space in not correctly escaped. (CVE-2013-4547)" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=851295" ); script_set_attribute( attribute:"see_also", value:"https://lists.opensuse.org/opensuse-updates/2013-11/msg00118.html" ); script_set_attribute( attribute:"solution", value:"Update the affected nginx-1.0 packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nginx-1.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nginx-1.0-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nginx-1.0-debugsource"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:12.2"); script_set_attribute(attribute:"patch_publication_date", value:"2013/11/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE12\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "12.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE12.2", reference:"nginx-1.0-1.0.15-3.4.1") ) flag++; if ( rpm_check(release:"SUSE12.2", reference:"nginx-1.0-debuginfo-1.0.15-3.4.1") ) flag++; if ( rpm_check(release:"SUSE12.2", reference:"nginx-1.0-debugsource-1.0.15-3.4.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nginx-1.0"); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2802.NASL description Ivan Fratric of the Google Security Team discovered a bug in nginx, a web server, which might allow an attacker to bypass security restrictions by using a specially crafted request. The oldstable distribution (squeeze) is not affected by this problem. last seen 2020-03-17 modified 2013-11-25 plugin id 71055 published 2013-11-25 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/71055 title Debian DSA-2802-1 : nginx - restriction bypass code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-2802. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(71055); script_version("1.9"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2013-4547"); script_bugtraq_id(63814); script_xref(name:"DSA", value:"2802"); script_name(english:"Debian DSA-2802-1 : nginx - restriction bypass"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Ivan Fratric of the Google Security Team discovered a bug in nginx, a web server, which might allow an attacker to bypass security restrictions by using a specially crafted request. The oldstable distribution (squeeze) is not affected by this problem." ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=730012" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/wheezy/nginx" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2013/dsa-2802" ); script_set_attribute( attribute:"solution", value: "Upgrade the nginx packages. For the stable distribution (wheezy), this problem has been fixed in version 1.2.1-2.2+wheezy2." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:nginx"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0"); script_set_attribute(attribute:"patch_publication_date", value:"2013/11/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/11/25"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"7.0", prefix:"nginx", reference:"1.2.1-2.2+wheezy2")) flag++; if (deb_check(release:"7.0", prefix:"nginx-common", reference:"1.2.1-2.2+wheezy2")) flag++; if (deb_check(release:"7.0", prefix:"nginx-doc", reference:"1.2.1-2.2+wheezy2")) flag++; if (deb_check(release:"7.0", prefix:"nginx-extras", reference:"1.2.1-2.2+wheezy2")) flag++; if (deb_check(release:"7.0", prefix:"nginx-extras-dbg", reference:"1.2.1-2.2+wheezy2")) flag++; if (deb_check(release:"7.0", prefix:"nginx-full", reference:"1.2.1-2.2+wheezy2")) flag++; if (deb_check(release:"7.0", prefix:"nginx-full-dbg", reference:"1.2.1-2.2+wheezy2")) flag++; if (deb_check(release:"7.0", prefix:"nginx-light", reference:"1.2.1-2.2+wheezy2")) flag++; if (deb_check(release:"7.0", prefix:"nginx-light-dbg", reference:"1.2.1-2.2+wheezy2")) flag++; if (deb_check(release:"7.0", prefix:"nginx-naxsi", reference:"1.2.1-2.2+wheezy2")) flag++; if (deb_check(release:"7.0", prefix:"nginx-naxsi-dbg", reference:"1.2.1-2.2+wheezy2")) flag++; if (deb_check(release:"7.0", prefix:"nginx-naxsi-ui", reference:"1.2.1-2.2+wheezy2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family SuSE Local Security Checks NASL id OPENSUSE-2013-882.NASL description The nginx webserver was fixed to avoid a restriction bypass when a space in not correctly escaped. (CVE-2013-4547) On openSUSE 12.2, nginx was updated to version 1.4.4 stable - CVE-2013-4547 a character following an unescaped space in a request line was handled incorrectly [bnc#851295] - bugfix: segmentation fault might occur in the spdy module - bugfix: segmentation fault might occur on start if if the last seen 2020-06-05 modified 2014-06-13 plugin id 75210 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75210 title openSUSE Security Update : nginx (openSUSE-SU-2013:1745-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2013-882. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(75210); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2013-4547"); script_bugtraq_id(63814); script_name(english:"openSUSE Security Update : nginx (openSUSE-SU-2013:1745-1)"); script_summary(english:"Check for the openSUSE-2013-882 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "The nginx webserver was fixed to avoid a restriction bypass when a space in not correctly escaped. (CVE-2013-4547) On openSUSE 12.2, nginx was updated to version 1.4.4 stable - CVE-2013-4547 a character following an unescaped space in a request line was handled incorrectly [bnc#851295] - bugfix: segmentation fault might occur in the spdy module - bugfix: segmentation fault might occur on start if if the 'try_files' directive was used with an empty parameter." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=851295" ); script_set_attribute( attribute:"see_also", value:"https://lists.opensuse.org/opensuse-updates/2013-11/msg00084.html" ); script_set_attribute( attribute:"solution", value:"Update the affected nginx packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nginx"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nginx-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nginx-debugsource"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:12.3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.1"); script_set_attribute(attribute:"patch_publication_date", value:"2013/11/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE12\.3|SUSE13\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "12.3 / 13.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE12.3", reference:"nginx-1.2.9-3.8.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"nginx-debuginfo-1.2.9-3.8.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"nginx-debugsource-1.2.9-3.8.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"nginx-1.4.4-3.5.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"nginx-debuginfo-1.4.4-3.5.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"nginx-debugsource-1.4.4-3.5.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nginx"); }NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_94B6264A514011E38B22F0DEF16C5C1B.NASL description The nginx project reports : Ivan Fratric of the Google Security Team discovered a bug in nginx, which might allow an attacker to bypass security restrictions in certain configurations by using a specially crafted request, or might have potential other impact (CVE-2013-4547). last seen 2020-06-01 modified 2020-06-02 plugin id 70965 published 2013-11-20 reporter This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/70965 title FreeBSD : nginx -- Request line parsing vulnerability (94b6264a-5140-11e3-8b22-f0def16c5c1b) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(70965); script_version("1.4"); script_cvs_date("Date: 2018/11/10 11:49:43"); script_cve_id("CVE-2013-4547"); script_name(english:"FreeBSD : nginx -- Request line parsing vulnerability (94b6264a-5140-11e3-8b22-f0def16c5c1b)"); script_summary(english:"Checks for updated packages in pkg_info output"); script_set_attribute( attribute:"synopsis", value: "The remote FreeBSD host is missing one or more security-related updates." ); script_set_attribute( attribute:"description", value: "The nginx project reports : Ivan Fratric of the Google Security Team discovered a bug in nginx, which might allow an attacker to bypass security restrictions in certain configurations by using a specially crafted request, or might have potential other impact (CVE-2013-4547)." ); script_set_attribute( attribute:"see_also", value:"http://mailman.nginx.org/pipermail/nginx-announce/2013/000125.html" ); # https://vuxml.freebsd.org/freebsd/94b6264a-5140-11e3-8b22-f0def16c5c1b.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?1ff1285c" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:nginx"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:nginx-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/11/19"); script_set_attribute(attribute:"patch_publication_date", value:"2013/11/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/11/20"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"nginx>=0.8.41<1.4.4,1")) flag++; if (pkg_test(save_report:TRUE, pkg:"nginx-devel>=0.8.41<1.5.7")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Web Servers NASL id NGINX_1_5_7.NASL description According to the self-reported version in the Server response header, the installed version of nginx is greater than 0.8.41 but prior to 1.4.4 / 1.5.7. It is, therefore, affected by a security bypass vulnerability in last seen 2020-05-09 modified 2013-11-27 plugin id 71117 published 2013-11-27 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/71117 title nginx < 1.4.4 / 1.5.7 ngx_parse_http Security Bypass code # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(71117); script_version("1.9"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/08"); script_cve_id("CVE-2013-4547"); script_bugtraq_id(63814); script_name(english:"nginx < 1.4.4 / 1.5.7 ngx_parse_http Security Bypass"); script_set_attribute(attribute:"synopsis", value: "The remote web server is affected by a security bypass vulnerability."); script_set_attribute(attribute:"description", value: "According to the self-reported version in the Server response header, the installed version of nginx is greater than 0.8.41 but prior to 1.4.4 / 1.5.7. It is, therefore, affected by a security bypass vulnerability in 'ngx_http_parse.c' when a file with a space at the end of the URI is requested."); script_set_attribute(attribute:"see_also", value:"http://nginx.org/en/security_advisories.html"); script_set_attribute(attribute:"see_also", value:"http://mailman.nginx.org/pipermail/nginx-announce/2013/000125.html"); script_set_attribute(attribute:"see_also", value:"http://nginx.org/en/CHANGES-1.4"); script_set_attribute(attribute:"see_also", value:"http://nginx.org/en/CHANGES"); script_set_attribute(attribute:"solution", value: "Either apply the patch manually or upgrade to nginx 1.4.4 / 1.5.7 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-4547"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/11/19"); script_set_attribute(attribute:"patch_publication_date", value:"2013/11/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/11/27"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/a:igor_sysoev:nginx"); script_set_attribute(attribute:"agent", value:"unix"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("nginx_detect.nasl", "nginx_nix_installed.nbin"); script_require_keys("installed_sw/nginx"); exit(0); } include('http.inc'); include('vcf.inc'); appname = 'nginx'; get_install_count(app_name:appname, exit_if_zero:TRUE); app_info = vcf::combined_get_app_info(app:appname); vcf::check_granularity(app_info:app_info, sig_segments:3); # If the detection is only remote, Detection Method won't be set, and we should require paranoia if (empty_or_null(app_info['Detection Method']) && report_paranoia < 2) audit(AUDIT_PARANOID); constraints = [ {'fixed_version' : '1.4.4', 'min_version' : '0.8.41'}, {'fixed_version' : '1.5.6', 'min_version' : '1.5.0'}]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);NASL family Fedora Local Security Checks NASL id FEDORA_2013-22026.NASL description - Update to the latest version - Upstream changelog can be found at http://nginx.org/en/CHANGES-1.4 - Security fix BZ 1032267 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-12-14 plugin id 71405 published 2013-12-14 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/71405 title Fedora 20 : nginx-1.4.4-1.fc20 (2013-22026) NASL family Fedora Local Security Checks NASL id FEDORA_2013-21826.NASL description - Update to the latest version - Upstream changelog can be found at http://nginx.org/en/CHANGES-1.4 - Security fix BZ 1032267 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-12-02 plugin id 71147 published 2013-12-02 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/71147 title Fedora 19 : nginx-1.4.4-1.fc19 (2013-21826) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2013-281.NASL description Updated nginx package fixes security vulnerability : Ivan Fratric of the Google Security Team discovered a bug in nginx, which might allow an attacker to bypass security restrictions in certain configurations by using a specially crafted request, or might have potential other impact (CVE-2013-4547). last seen 2020-06-01 modified 2020-06-02 plugin id 71076 published 2013-11-25 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/71076 title Mandriva Linux Security Advisory : nginx (MDVSA-2013:281)
Related news
References
- http://www.debian.org/security/2012/dsa-2802
- http://lists.opensuse.org/opensuse-updates/2013-11/msg00084.html
- http://secunia.com/advisories/55757
- http://secunia.com/advisories/55825
- http://secunia.com/advisories/55822
- http://mailman.nginx.org/pipermail/nginx-announce/2013/000125.html
- http://lists.opensuse.org/opensuse-updates/2013-11/msg00118.html
- http://lists.opensuse.org/opensuse-updates/2013-11/msg00119.html
- http://lists.opensuse.org/opensuse-security-announce/2013-12/msg00007.html