Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-45132: Remove X-Forwarded-For header special processing (#103) · wargio/naxsi@1b71252

NAXSI is an open-source maintenance web application firewall (WAF) for NGINX. An issue present starting in version 1.3 and prior to version 1.6 allows someone to bypass the WAF when a malicious X-Forwarded-For IP matches IgnoreIP IgnoreCIDR rules. This old code was arranged to allow older NGINX versions to also support IgnoreIP IgnoreCIDR when multiple reverse proxies were present. The issue is patched in version 1.6. As a workaround, do not set any IgnoreIP IgnoreCIDR for older versions.

CVE
#sql#xss#web#nginx

Expand Up @@ -60,7 +60,7 @@ location /RequestDenied { GET /?a=buibui — error_code: 200 === TEST 1.2: IgnoreCIDR request with X-Forwarded-For allow (no file) === TEST 1.2.1: IgnoreCIDR request with X-Forwarded-For allow without real_ip config (no file) — main_config load_module $TEST_NGINX_NAXSI_MODULE_SO; — http_config Expand All @@ -83,7 +83,35 @@ location /RequestDenied { — more_headers X-Forwarded-For: 1.1.1.1 — request GET /?a=buibui GET /?a=<> — error_code: 412 === TEST 1.2.2: IgnoreCIDR request with X-Forwarded-For allow with real_ip config (no file) — main_config load_module $TEST_NGINX_NAXSI_MODULE_SO; — http_config include $TEST_NGINX_NAXSI_RULES; set_real_ip_from 127.0.0.1; real_ip_header X-Forwarded-For; — config location / { SecRulesEnabled; IgnoreCIDR "1.1.1.0/24"; DeniedUrl "/RequestDenied"; CheckRule “$SQL >= 8” BLOCK; CheckRule “$RFI >= 8” BLOCK; CheckRule “$TRAVERSAL >= 4” BLOCK; CheckRule “$XSS >= 8” BLOCK; root $TEST_NGINX_SERVROOT/html/; index index.html index.htm; } location /RequestDenied { return 412; } — more_headers X-Forwarded-For: 1.1.1.1 — request GET /?a=<> — error_code: 200 === TEST 1.3: IgnoreCIDR request with X-Forwarded-For deny (no file) Expand Down Expand Up @@ -163,7 +191,7 @@ location /RequestDenied { GET /foobar — error_code: 200 === TEST 1.6: IgnoreCIDR request with X-Forwarded-For allow (ipv6) === TEST 1.6.1: IgnoreCIDR request with X-Forwarded-For allow without real_ip config (ipv6) — main_config load_module $TEST_NGINX_NAXSI_MODULE_SO; — http_config Expand All @@ -187,13 +215,71 @@ location /RequestDenied { X-Forwarded-For: 2001:4860:4860::8888 — request GET /?a=<> — error_code: 412 === TEST 1.6.2: IgnoreCIDR request with X-Forwarded-For allow with real_ip config (ipv6) — main_config load_module $TEST_NGINX_NAXSI_MODULE_SO; — http_config include $TEST_NGINX_NAXSI_RULES; set_real_ip_from 127.0.0.1; set_real_ip_from ::1/128; real_ip_header X-Forwarded-For; — config location / { SecRulesEnabled; IgnoreCIDR "2001:4860:4860::/112"; DeniedUrl "/RequestDenied"; CheckRule “$SQL >= 8” BLOCK; CheckRule “$RFI >= 8” BLOCK; CheckRule “$TRAVERSAL >= 4” BLOCK; CheckRule “$XSS >= 8” BLOCK; root $TEST_NGINX_SERVROOT/html/; index index.html index.htm; } location /RequestDenied { return 412; } — more_headers X-Forwarded-For: 2001:4860:4860::8888 — request GET /?a=<> — error_code: 200 === TEST 1.7: Verify IgnoreCIDR 2001:4860:4860::8888/128 is converted to IgnoreIP === TEST 1.7.1: Verify IgnoreCIDR 2001:4860:4860::8888/128 is converted to IgnoreIP without real_ip config — main_config load_module $TEST_NGINX_NAXSI_MODULE_SO; — http_config include $TEST_NGINX_NAXSI_RULES; — config location / { SecRulesEnabled; IgnoreCIDR "2001:4860:4860::8888/128"; DeniedUrl "/RequestDenied"; CheckRule “$SQL >= 8” BLOCK; CheckRule “$RFI >= 8” BLOCK; CheckRule “$TRAVERSAL >= 4” BLOCK; CheckRule “$XSS >= 8” BLOCK; root $TEST_NGINX_SERVROOT/html/; index index.html index.htm; } location /RequestDenied { return 412; } — more_headers X-Forwarded-For: 2001:4860:4860::8888 — request GET /?a=<> — error_code: 412 === TEST 1.7.2: Verify IgnoreCIDR 2001:4860:4860::8888/128 is converted to IgnoreIP with real_ip config — main_config load_module $TEST_NGINX_NAXSI_MODULE_SO; — http_config include $TEST_NGINX_NAXSI_RULES; set_real_ip_from 127.0.0.1; set_real_ip_from ::1/128; real_ip_header X-Forwarded-For; — config location / { SecRulesEnabled; Expand Down

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907