*** This bug is a security vulnerability *** You have been subscribed to a public security bug by Jamie Strandboge (jdstrand):
Binary package hint: nginx The version of nginx provided in Lucid Lynx is out-of-date. In particular, it is missing a commit (r3528 from svn://svn.nginx.org) that modified how null bytes in the URI are handled. This commit was released as a part of nginx 0.7.66. The current behavior is dangerous when nginx is acting as a web server in front of a FastCGI server (in particular, a PHP-FCGI server). By using the null byte to append a different extension (eg: .php) to the URI, an attacker can convince nginx to pass the full URI, including the null byte, through to the FastCGI server. In the case of PHP-FCGI, all of the data after the null byte is discarded. So for instance, http://example.org/uploads/file.jpg%00.php would cause http://example.org/uploads/file.jpg to be parsed as PHP. For sites where file uploads are allowed, this can lead to unintended arbitrary code execution. This issue may affect nginx packages in other, older Ubuntu releases. ** Affects: nginx (Ubuntu) Importance: Undecided Status: New -- nginx package in Lucid Lynx allows null byte vulnerability in certain configurations https://bugs.launchpad.net/bugs/783508 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs