nginx ngx_http_proxy_module.c Memory Disclosure

This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.


Synopsis :

The remote web server is affected by a remote memory disclosure
vulnerability.

Description :

According to its Server response header, the installed version of nginx
is 1.1.x, greater than or equal to 1.1.4, or 1.2.x prior to 1.2.9. It
is, therefore, affected by a memory disclosure vulnerability in
'ngx_http_proxy_module.c' when 'proxy_pass' to untrusted upstream
servers is used.

By sending a specially crafted request, an attacker may be able to gain
access to worker process memory or trigger a denial of service
condition.

See also :

http://mailman.nginx.org/pipermail/nginx-announce/2013/000114.html
http://nginx.org/en/security_advisories.html

Solution :

Either apply the patch manually or upgrade to nginx 1.2.9 or later.

Risk factor :

Medium / CVSS Base Score : 6.4
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P)
CVSS Temporal Score : 5.6
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Family: Web Servers

Nessus Plugin ID: 66671 ()

Bugtraq ID: 59824

CVE ID: CVE-2013-2070