0

I have a website running laravel 5.3 in ubuntu with nginx 1.4.6

I did a security scan which resulted in "OS command injection" by modifying a HTTP header and injecting a payload.

The problem is, I can't really locate where I'm not sanitizing my headers. Or should this be a setting in nginx?

I appreciate the help as its been many hours trying to figure this one out.

nullwriter
  • 785
  • 9
  • 34
  • without code, we can also not locate the problem – Thomas Aug 04 '20 at 09:26
  • This is not specific to a piece of code, but rather a project itself. The real question is if I can secure my website (agains't problem described above) with nginx configuration – nullwriter Aug 04 '20 at 09:28

1 Answers1

0

I think it would not possible to make it by changing your nginx configuration. First of all you need to find the the code and understood the problem. When you mention header it may be that you use somewhere a forward by location header or you use $_SERVER['PHP_SELF'] somewhere...

Here I have explained why this may be an problem

Using $_SERVER['PHP_SELF']; vs htmlentities($_SERVER['PHP_SELF']); for canonical link on https

But without code we can not help you futher

Thomas
  • 1,058
  • 8
  • 15
  • What part of the code should I show? That is exactly the problem. I've tried searching every reference for $_SERVER or header, or the names of the hijacked headers, but with no success – nullwriter Aug 04 '20 at 10:18
  • What is the exact message of the security scan. Is there is any hint where it found a vulnerability? – Thomas Aug 04 '20 at 10:54
  • It says that by exploiting the 'header' element named 'Accept-Charset' it was able to inject code (it injected a ping command). They also tried with 'Accept_Language' header – nullwriter Aug 04 '20 at 12:51
  • Then you need to look for "Accept-Charset" maybe laravel or some other php extension needs some update. – Thomas Aug 04 '20 at 13:23
  • don't think so as its 7.1, and other laravel websites don't have this vulnerability. It must be specific to this project, yet can't find any occurrence for those headers. Must be a library in vendor – nullwriter Aug 04 '20 at 15:24