doc/announce-ngx-sec-update-201310.html - incubator-pagespeed-website - Git at Google

 <!--
 Licensed to the Apache Software Foundation (ASF) under one
 or more contributor license agreements.  See the NOTICE file
 distributed with this work for additional information
 regarding copyright ownership.  The ASF licenses this file
 to you under the Apache License, Version 2.0 (the
 "License"); you may not use this file except in compliance
 with the License.  You may obtain a copy of the License at

   http://www.apache.org/licenses/LICENSE-2.0

 Unless required by applicable law or agreed to in writing,
 software distributed under the License is distributed on an
 "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 KIND, either express or implied.  See the License for the
 specific language governing permissions and limitations
 under the License.
 -->

 <html>
   <head>
     <meta name="viewport" content="width=device-width, initial-scale=1">
     <title>October 2013 ngx_pagespeed Security Update.</title>
     <link rel="stylesheet" href="doc.css">
   </head>
   <body>
 <!--#include virtual="_header.html" -->


   <div id=content>
 <h1>October 2013 ngx_pagespeed Security Update.</h1>
 <h2 id="overview">Overview</h2>

 <p>
 All versions of ngx_pagespeed prior to 1.6.29.7 are subject to critical
 cross-site scripting (XSS) vulnerability CVE-2013-6111.  Depending on
 configuration this may permit a hostile third party to execute JavaScript in
 users' browsers in the context of the domain running ngx_pagespeed, which could
 permit theft of users' cookies or data on the site.
 </p>

 <p>
 Because of the severity of the problem, users of affected versions are
 <strong>strongly</strong> encouraged to <strong>immediately</strong> update
 ngx_pagespeed or apply the workaround below.
 </p>

 <p>
 To be notified of further security updates subscribe to the
 <a href="mailing-lists#announcements">announcements mailing list</a>.
 </p>

 <h2 id="solutions">Solutions</h2>

 <p>
 Users of affected versions should either apply the workaround or update to
 version 1.6.29.7 or later.
 </p>

 <h3 id="workaround">Workaround</h3>

 <p>
 The vulnerability requires access to <code>/ngx_pagespeed_statistics</code>,
 <code>/ngx_pagespeed_global_statistics</code>, or
 <code>/ngx_pagespeed_message</code>. Prohibiting access to these in
 your <code>nginx.conf</code> is sufficient to keep it from being exploited.
 Note that it is not enough to restrict these pages to trusted users; they must
 not be accessible to anyone.  Example workaround configuration:
 <pre>
 location /ngx_pagespeed_statistics { deny all; }
 location /ngx_pagespeed_global_statistics { deny all; }
 location /ngx_pagespeed_message { deny all; }
 </pre>
 </p>

 <p>
 While ngx_pagespeed and mod_pagespeed are very similar, this workaround is not
 sufficient for mod_pagespeed.  If you also run PageSpeed in Apache please follow
 the recommendations in the <a href="announce-sec-update-201310">October 2013
 mod_pagespeed Security Update</a>.
 </p>

 <h3 id="update">Update</h3>

 <p>
 Users unable to apply the workaround, or who want continued access to the
 informational data provided by <code>/ngx_pagespeed_statistics</code>
 or <code>/ngx_pagespeed_message</code> should update to an unaffected version.
 This requires building nginx with the updated ngx_pagespeed module and
 installing it in place of the current version.  See
 the <a href="https://github.com/apache/incubator-pagespeed-ngx#how-to-build">build
 instructions</a>.
 </p>

 <p>
 Users having difficulty applying these updates or with other questions should
 write to the <a href="mailing-lists#discussion">discussion group</a>.

   </div>
   <!--#include virtual="_footer.html" -->
   </body>
 </html>
	<!--
	Licensed to the Apache Software Foundation (ASF) under one
	or more contributor license agreements. See the NOTICE file
	distributed with this work for additional information
	regarding copyright ownership. The ASF licenses this file
	to you under the Apache License, Version 2.0 (the
	"License"); you may not use this file except in compliance
	with the License. You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing,
	software distributed under the License is distributed on an
	"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	KIND, either express or implied. See the License for the
	specific language governing permissions and limitations
	under the License.
	-->

	<html>
	<head>
	<meta name="viewport" content="width=device-width, initial-scale=1">
	<title>October 2013 ngx_pagespeed Security Update.</title>
	<link rel="stylesheet" href="doc.css">
	</head>
	<body>
	<!--#include virtual="_header.html" -->


	<div id=content>
	<h1>October 2013 ngx_pagespeed Security Update.</h1>
	<h2 id="overview">Overview</h2>

	<p>
	All versions of ngx_pagespeed prior to 1.6.29.7 are subject to critical
	cross-site scripting (XSS) vulnerability CVE-2013-6111. Depending on
	configuration this may permit a hostile third party to execute JavaScript in
	users' browsers in the context of the domain running ngx_pagespeed, which could
	permit theft of users' cookies or data on the site.
	</p>

	<p>
	Because of the severity of the problem, users of affected versions are
	<strong>strongly</strong> encouraged to <strong>immediately</strong> update
	ngx_pagespeed or apply the workaround below.
	</p>

	<p>
	To be notified of further security updates subscribe to the
	<a href="mailing-lists#announcements">announcements mailing list</a>.
	</p>

	<h2 id="solutions">Solutions</h2>

	<p>
	Users of affected versions should either apply the workaround or update to
	version 1.6.29.7 or later.
	</p>

	<h3 id="workaround">Workaround</h3>

	<p>
	The vulnerability requires access to <code>/ngx_pagespeed_statistics</code>,
	<code>/ngx_pagespeed_global_statistics</code>, or
	<code>/ngx_pagespeed_message</code>. Prohibiting access to these in
	your <code>nginx.conf</code> is sufficient to keep it from being exploited.
	Note that it is not enough to restrict these pages to trusted users; they must
	not be accessible to anyone. Example workaround configuration:
	<pre>
	location /ngx_pagespeed_statistics { deny all; }
	location /ngx_pagespeed_global_statistics { deny all; }
	location /ngx_pagespeed_message { deny all; }
	</pre>
	</p>

	<p>
	While ngx_pagespeed and mod_pagespeed are very similar, this workaround is not
	sufficient for mod_pagespeed. If you also run PageSpeed in Apache please follow
	the recommendations in the <a href="announce-sec-update-201310">October 2013
	mod_pagespeed Security Update</a>.
	</p>

	<h3 id="update">Update</h3>

	<p>
	Users unable to apply the workaround, or who want continued access to the
	informational data provided by <code>/ngx_pagespeed_statistics</code>
	or <code>/ngx_pagespeed_message</code> should update to an unaffected version.
	This requires building nginx with the updated ngx_pagespeed module and
	installing it in place of the current version. See
	the <a href="https://github.com/apache/incubator-pagespeed-ngx#how-to-build">build
	instructions</a>.
	</p>

	<p>
	Users having difficulty applying these updates or with other questions should
	write to the <a href="mailing-lists#discussion">discussion group</a>.

	</div>
	<!--#include virtual="_footer.html" -->
	</body>
	</html>