*** This bug is a security vulnerability ***

You have been subscribed to a public security bug by Jamie Strandboge 
(jdstrand):

Binary package hint: nginx

The version of nginx provided in Lucid Lynx is out-of-date. In
particular, it is missing a commit (r3528 from svn://svn.nginx.org) that
modified how null bytes in the URI are handled. This commit was released
as a part of nginx 0.7.66.

The current behavior is dangerous when nginx is acting as a web server
in front of a FastCGI server (in particular, a PHP-FCGI server). By
using the null byte to append a different extension (eg: .php) to the
URI, an attacker can convince nginx to pass the full URI, including the
null byte, through to the FastCGI server. In the case of PHP-FCGI, all
of the data after the null byte is discarded. So for instance,
http://example.org/uploads/file.jpg%00.php would cause
http://example.org/uploads/file.jpg to be parsed as PHP. For sites where
file uploads are allowed, this can lead to unintended arbitrary code
execution.

This issue may affect nginx packages in other, older Ubuntu releases.

** Affects: nginx (Ubuntu)
     Importance: Undecided
         Status: New

-- 
nginx package in Lucid Lynx allows null byte vulnerability in certain 
configurations
https://bugs.launchpad.net/bugs/783508
You received this bug notification because you are a member of Ubuntu Bugs, 
which is a direct subscriber.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to