Security advisory


Vladimir Kochetkov, Positive Research Center, discovered a
security problem in nginx/Windows, which might allow security
restrictions bypass (CVE-2011-4963).

There are many ways to access the same file when working under
Windows, and nginx failed to account for all of them. As a
result, it was possible to bypass security restrictions like

location /directory/ {
    deny all;

by requesting a file as “/directory::$index_allocation/file”, or
“/directory:$i30:$index_allocation/file”, or “/directory./file”.

The problem is fixed in nginx/Windows 1.3.1, 1.2.1.

For older versions the following configuration can be used as a

location ~ "(\./|:\$)" {
    deny all;

Maxim D.