| <!-- |
| Licensed to the Apache Software Foundation (ASF) under one |
| or more contributor license agreements. See the NOTICE file |
| distributed with this work for additional information |
| regarding copyright ownership. The ASF licenses this file |
| to you under the Apache License, Version 2.0 (the |
| "License"); you may not use this file except in compliance |
| with the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, |
| software distributed under the License is distributed on an |
| "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| KIND, either express or implied. See the License for the |
| specific language governing permissions and limitations |
| under the License. |
| --> |
| |
| <html> |
| <head> |
| <meta name="viewport" content="width=device-width, initial-scale=1"> |
| <title>October 2013 ngx_pagespeed Security Update.</title> |
| <link rel="stylesheet" href="doc.css"> |
| </head> |
| <body> |
| <!--#include virtual="_header.html" --> |
| |
| |
| <div id=content> |
| <h1>October 2013 ngx_pagespeed Security Update.</h1> |
| <h2 id="overview">Overview</h2> |
| |
| <p> |
| All versions of ngx_pagespeed prior to 1.6.29.7 are subject to critical |
| cross-site scripting (XSS) vulnerability CVE-2013-6111. Depending on |
| configuration this may permit a hostile third party to execute JavaScript in |
| users' browsers in the context of the domain running ngx_pagespeed, which could |
| permit theft of users' cookies or data on the site. |
| </p> |
| |
| <p> |
| Because of the severity of the problem, users of affected versions are |
| <strong>strongly</strong> encouraged to <strong>immediately</strong> update |
| ngx_pagespeed or apply the workaround below. |
| </p> |
| |
| <p> |
| To be notified of further security updates subscribe to the |
| <a href="mailing-lists#announcements">announcements mailing list</a>. |
| </p> |
| |
| <h2 id="solutions">Solutions</h2> |
| |
| <p> |
| Users of affected versions should either apply the workaround or update to |
| version 1.6.29.7 or later. |
| </p> |
| |
| <h3 id="workaround">Workaround</h3> |
| |
| <p> |
| The vulnerability requires access to <code>/ngx_pagespeed_statistics</code>, |
| <code>/ngx_pagespeed_global_statistics</code>, or |
| <code>/ngx_pagespeed_message</code>. Prohibiting access to these in |
| your <code>nginx.conf</code> is sufficient to keep it from being exploited. |
| Note that it is not enough to restrict these pages to trusted users; they must |
| not be accessible to anyone. Example workaround configuration: |
| <pre> |
| location /ngx_pagespeed_statistics { deny all; } |
| location /ngx_pagespeed_global_statistics { deny all; } |
| location /ngx_pagespeed_message { deny all; } |
| </pre> |
| </p> |
| |
| <p> |
| While ngx_pagespeed and mod_pagespeed are very similar, this workaround is not |
| sufficient for mod_pagespeed. If you also run PageSpeed in Apache please follow |
| the recommendations in the <a href="announce-sec-update-201310">October 2013 |
| mod_pagespeed Security Update</a>. |
| </p> |
| |
| <h3 id="update">Update</h3> |
| |
| <p> |
| Users unable to apply the workaround, or who want continued access to the |
| informational data provided by <code>/ngx_pagespeed_statistics</code> |
| or <code>/ngx_pagespeed_message</code> should update to an unaffected version. |
| This requires building nginx with the updated ngx_pagespeed module and |
| installing it in place of the current version. See |
| the <a href="https://github.com/apache/incubator-pagespeed-ngx#how-to-build">build |
| instructions</a>. |
| </p> |
| |
| <p> |
| Users having difficulty applying these updates or with other questions should |
| write to the <a href="mailing-lists#discussion">discussion group</a>. |
| |
| </div> |
| <!--#include virtual="_footer.html" --> |
| </body> |
| </html> |