Anmol Sharma

anmol@pod.datamol.org

[Nginx] HTTP-Splitting vulnerability

Anmol Sharma

Thu, 03 May 2018 09:55:28 -0700

!Hubzilla Support Forum
Gixy shows HTTP-Splitting vulnerability in the nginx.conf.


==================== Results ===================

>> Problem: [http_splitting] Possible HTTP-Splitting vulnerability.
Description: Using variables that can contain "\n" or "\r" may lead to http injection.
Additional info: https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md
Reason: At least variable "$uri" can contain "\n"
Pseudo config:

location / {

    if ($is_args != ) {
        rewrite ^/(.*) /index.php?q=$uri&$args last;
    }
    rewrite ^/(.*) /index.php?q=$uri last;
}

location ^~ /.well-known/ {
    rewrite ^/(.*) /index.php?q=$uri&$args last;
}

Started a github issue : https://github.com/redmatrix/hubzilla/issues/1155
Replacing $uri to $request_uri broke my instance. Can people using nginx confirm the same result ?

nginx security

show all 4 comments

Anmol Sharma

Fri, 04 May 2018 09:49:08 -0700

I have changed to this and its working. I will test more if everything works as usual.

What about:

location ^~ /.well-known/ {
    rewrite ^/(.*) /index.php?q=$uri&$args last;
}

Gixy still gives me warning for this.

Mario Vavti

Sat, 05 May 2018 00:31:11 -0700

https://github.com/redmatrix/hubzilla/commit/192b69b11a05adee52e09d434bab004e0b0d07d1

Anmol Sharma

Sat, 05 May 2018 00:55:25 -0700

@Mario Vavti
Thanks for the commit.