Fixed a critical vulnerability in nginx

Posted: May 8, 2013 in Vulnerabilities, Vulnerability News
Tags: ,

Critical vulnerabilities in routers

Vulnerability in nginx

Vulnerability allows execution of arbitrary code on the target system.

It turned out unscheduled update server nginx to version 1.4.1, which eliminated the vulnerability CVE-2013-2028, which allows the execution of arbitrary code on the target redundant system.

The vulnerability can lead to overwriting the stack areas of the workflow when processing specially designed chunked-queries. Gaps are subject to the implementation of nginx versions 1.3.9 and 1.4.0.

The corresponding update was also issued for the FreeBSD ports with version 1.4.0.

As an additional method to correct the vulnerability of the manufacturer offers in each of the blocks server {} disable the processing of chunked-query this way:

if ($ http_transfer_encoding ~ * chunked) {
444 return;

We encourage our readers to fix the vulnerability as soon as possible.

Buffer overflow in nginx: Vulnerability description

Danger level: High
The presence of fixes: Yes
The number of vulnerabilities: 1

CVE ID: CVE-2013-2028
Vector of operation: Remote
Impact: System Compromise

Affected products: nginx 1.4.x

Affected versions: nginx version 1.3.9 – 1.4.0


The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability is caused due to a boundary error when processing HTTP data as a function of ngx_http_parse_chunked () in the file http / ngx_http_parse.c. This can be exploited to execute arbitrary code on the target system.

Manufacturer URL:

Solution: Update to version 1.4.1 or 1.5.0 with the manufacturer’s website.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s