Nginx 0-day vulnerability allows image uploads to intrude into millions of servers

80sec, the top security team in China, issued a notice on the nginx vulnerability at six o'clock P.M. on the 12th. Due to the vulnerability, A website created using nginx + PHP may be hacked as long as images can be uploaded. Until the early morning of June 5.21, nginx has not released a patch to fix the vulnerability. Some websites have been hacked, administrator quick fix!

 

According to Netcraft statistics, a total of April 2010 servers around the world run the nginx program until 13 million. According to conservative estimates, at least 6 million servers run nginx and enabled PHP support; it is conservatively estimated that 1/6 of these servers allow users to upload images. A picture has a truth.

Yes, I reiterate that due to nginx vulnerabilities, these 1 million servers may be easily implanted by hackers by uploading images. The process of inserting a trojan is also very simple, that is, converting the Trojan into an image for uploading. Because of the great harm, I will not talk about the details. Please visit http://www.80sec.com/nginx-securit.html if you are interested

I think you are curious about the top security team of 80sec. Here is a brief introduction to subaozi.

The 80 sec team is composed of a group of young, energetic, physical, passionate, and creative unmarried Dota men who work in information security at major Internet companies, their slogan is know it then hack it. Su baozi agrees with this idea very much: "As long as we are very familiar with one thing, we may objectively discover its shortcomings, at the same time, we can also find the advantages of this thing ".

80sec means "port 80 security", that is, "Web security". At the same time, because the team members are all young people after 80, we can also understand it as "post 80 security "; in addition, because the SEC is pronounced as Se Ke, we can also understand it as "post-80s guest", "post-80s guest", or "post-80s guest ", our understanding of 80sec is limited by imagination.

The following describes their great achievements. They have discovered vulnerabilities in software such as IIS, ie, Firefox, Maxthon, windows of the world, phpwind, dedecms, QQ mail, quarkmail, and extmail.

Since we introduced 80sec, we have to introduce 80vul, another top-level security team that focuses on Web security. This team is also composed of the men's shoes after the 80 s (after the 90 s, it indicates that the pressure is great: p) They also discovered a large number of web app security vulnerabilities, such as IE, Gmail, WordPress, phpwind, discuz, and mybb.

When I see this, I think we all have some regrets, that is why there are no post-80 hackers (I do not discriminate against the pseudoniang, but I must note that it is not a pseudoniang). I also have the same regret.

Finally, I sent a gossip message saying that hackers are already operating. Security personnel, system administrators, and action should be taken to fix the vulnerability. It is best not to be lucky, otherwise, your website may be hacked. According to the description of the 80sec Security Bulletin, the temporary repair method is as follows. You can choose one of the three.

1. Set CGI. fix_pathinfo of PHP. ini to 0 and restart PHP. It is the most convenient, but you need to evaluate the impact of modification settings.

2. Add the following content to the nginx vhost configuration and restart nginx. It is also convenient when there are few vhosts.

If ($ fastcgi_script_name ~ \ .. * \/. * PHP ){
Return 403;
}

3. Do not upload directories to interpret PHP programs. Webserver does not need to be moved. If there are many vhosts and servers, the difficulty will increase sharply in the short term. We recommend that you use webserver when there are few vhosts and servers.

It is estimated that today the interaction between hackers and administrators will reach a small climax, if you want to learn more about the relevant insider, please pay attention to the subaozi website http://baoz.net/nginx-0day-by-80sec/

Gossip message publishing platform:

5.21

I heard that a hacker team has prepared a scanner and has developed semi-automatic batch tools.
Priority is given to scanning sites with high ranking, high traffic, and large PR

Nginx 0-day vulnerability allows image uploads to intrude into millions of servers