Is nginx vulnerable to the Hash Table Vulnerability (n.runs AG)?

Without going through the way nginx parses an incoming request, I’m
unsure
if nginx isn’t vulnerable to this, because of the availability to grab
the
value of a GET parameter via
http://wiki.nginx.org/HttpCoreModule#.24arg_PARAMETER. My hope is that
especially if an $arg_PARAMETER isn’t used in the config, it is not
vulnerable because it wouldn’t even attempt to parse the parameters, but
I
can’t be sure.

Can anyone speak to this?

Hello!

On Sat, Dec 31, 2011 at 11:37:39AM -0700, Justin H. wrote:

Can anyone speak to this?
It’s not vulnerable even if $arg_* is used.

Maxim D.

Thank you for the confirmation - I read through the parts of code in
question but wanted to get a second opinion.

How about the lua and/or the perl modules? It looks as if they are
using the nginx functions?

Sent from my iPhone

On Sun, Jan 1, 2012 at 1:58 PM, Justin H. [email protected] wrote:

Thank you for the confirmation - I read through the parts of code in
question but wanted to get a second opinion.

How about the lua and/or the perl modules? It looks as if they are
using the nginx functions?

The current released versions of ngx_lua does have this vulnerability
in its ngx.req.get_uri_args() and ngx.req.get_post_args() functions.
I’ve already worked out a patch for these two functions in ngx_lua’s
git max-args branch here:

https://github.com/chaoslawful/lua-nginx-module/commit/75876

With this patch, both of these functions will only parse 100 query
args at most. And one can specify a custom maximum number of args
parsed with an optional function argument (default to 100) and
enforcing unlimited parsing by specifying a zero number.

This patch (as well as this branch) will be merged into the master
branch in 3 Jan.

Best,
-agentzh

On 1 January 2012 17:20, agentzh [email protected] wrote:

I’ve already worked out a patch for these two functions in ngx_lua’s
branch in 3 Jan.
It would probably be a good idea at that point, to finally make a
release of v0.3.1 of the ngx_lua module as with about 45 “Release
Candidates”, it must already hold some record :slight_smile:

On Sun, Jan 1, 2012 at 2:37 AM, Justin H. [email protected] wrote:

Without going through the way nginx parses an incoming request, I’m unsure
if nginx isn’t vulnerable to this, because of the availability to grab the
value of a GET parameter
viahttp://wiki.nginx.org/HttpCoreModule#.24arg_PARAMETER. My hope is that
especially if an $arg_PARAMETER isn’t used in the config, it is not
vulnerable because it wouldn’t even attempt to parse the parameters, but I
can’t be sure.

Well, the $arg_PARAMETER variable is not implemented with hash tables
at all :wink: It scans the URI query string at every invocation :slight_smile:

Regards,
-agentzh

On Sun, Jan 01, 2012 at 05:31:46PM +0300, Nginx U. wrote:

I’ve already worked out a patch for these two functions in ngx_lua’s
branch in 3 Jan.

It would probably be a good idea at that point, to finally make a
release of v0.3.1 of the ngx_lua module as with about 45 “Release
Candidates”, it must already hold some record :slight_smile:

+1.


Sergey A. Osokin
[email protected]
[email protected]

On Sun, Jan 1, 2012 at 10:20 PM, agentzh [email protected] wrote:

enforcing unlimited parsing by specifying a zero number.

This patch (as well as this branch) will be merged into the master
branch in 3 Jan.

I’ve also added similar protections to ngx.req.get_headers():

http://wiki.nginx.org/HttpLuaModule#ngx.req.get_headers

All of these changes have been released as ngx_lua 0.3.1rc45:

Tags · openresty/lua-nginx-module · GitHub

and also included in the ngx_openresty bundle’s devel version 1.0.10.39:

OpenResty® - Open source

Feedback welcome!

Best,
-agentzh

On 4 January 2012 14:48, agentzh [email protected] wrote:

I’ve also added similar protections to ngx.req.get_headers():

Lua | NGINX

All of these changes have been released as ngx_lua 0.3.1rc45:
Nice one.

Thanks.