unsafe nginx config #5117
Description
It is easy.
Your error:
root@server:~/server-scripts# gixy
[nginx_parser] WARNING File not found: /etc/nginx/conf.d/*.conf
==================== Results ===================
Problem: [http_splitting] Possible HTTP-Splitting vulnerability.
Description: Using variables that can contain "\n" may lead to http injection.
Additional info: https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md
Reason: At least variable "$uri" can contain "\n"
Pseudo config:
include /etc/nginx/sites-enabled/sync.patrikx3.tk;
server {
server_name sync.patrikx3.tk;
location / {
rewrite ^ /index.php$uri;
}
}
==================== Summary ===================
Total issues:
Unspecified: 0
Low: 0
Medium: 0
High: 1
Just do not use $uri for NGINX, use $request_uri;
For use like this:
location / {
rewrite ^ /index.php$request_uri;
}
