Some cases of insecure NGINX configurations

Mon 02 June 2014

Nginx is very nice web server with flexilble configuration options and secure-enough defaults.

But, sometimes administrators can make mistakes cooking it.

Case 1: try_files

Nginx has a nice feature try_files which "checks the existence of files in the specified order and uses the first found file for request processing ...", "if ...

cURL buffer overflow

Wed 06 February 2013

Volema found remotely exploitable buffer overflow vulnerability in libcurl POP3, SMTP protocol handlers which lead to code execution (RCE). When negotiating SASL DIGEST-MD5 authentication, the function Curl_sasl_create_digest_md5_message() uses the data provided from the server without doing the proper length checks and that data is then appended to a local fixed-size ...

PHP <=5.4.8, <=5.3.18 with mbstring.encoding_translation = On is vulnerable to HashDoS

Mon 26 November 2012

Hashdos attack on scripting languages was introduced first time at 28C3 conference [1]. It targets the performance bottleneck in keeping large hash tables made of request parameters.

The main way to protect from this attack is to limit the number of request parameters. In PHP it is done through the ...

Opera SVG+XML Handling Vulnerability

Sat 06 October 2012

Some time ago we have found in the wild an exploit for a vulnerability allowing to redirect an Opera user to an arbitrary host by just inserting an <img> tag on the victim site. This vulnerability was actively exploited for redirecting users to a phishing site, which imitated a large ...