<div dir="ltr"><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;color:#330000">Hi there,</div><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;color:#330000">so I'm running on nginx and as I can see there is nothing about cgi-bin in those settings. I'm familiar with apache but not too much with nginx so just wanted to make sure if that can cause me trouble.</div>
<div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;color:#330000"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;color:#330000">regards,</div><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small;color:#330000">
Mohammad</div></div><div class="gmail_extra"><br clear="all"><div><div dir="ltr"><font color="#660000">====================</font><br><div><font color="#660000">Mohammad Naghavi</font></div><div><br></div><div><font color="#660000">Software engineer & analyst</font></div>
<div><font color="#660000">Senior web and desktop developer</font></div><div><font color="#660000"><a href="http://naghavi.me" target="_blank">naghavi.me</a></font></div><div><ul style="margin:0px;padding:0px 0px 8px;border:0px;outline:0px;font-size:12px;font-family:Arial,sans-serif;vertical-align:baseline;list-style:none;line-height:17px;display:table-cell;width:505px;color:rgb(51,51,51)">
<li style="margin:0px;padding:8px 12px 2px 0px;border:0px;outline:0px;font-style:inherit;font-size:11px;font-family:inherit;vertical-align:baseline;font-variant:inherit;line-height:1.2em"><dl style="margin:0px;padding:0px;border:0px;outline:0px;font-style:inherit;font-family:inherit;vertical-align:baseline;font-variant:inherit;line-height:inherit;word-wrap:break-word">
<dd style="margin:0px;padding:2px 9px 1px 0px;border:0px;outline:0px;font-style:inherit;font-family:inherit;vertical-align:top;font-variant:inherit;line-height:inherit;display:inline-block;zoom:1"><a href="http://at.linkedin.com/in/mohamnag/" title="View public profile" name="SafeHtmlFilter_webProfileURL" style="margin:0px 10px 0px 0px;padding:0px 0px 0px 19px;border:0px;outline:0px;font-style:inherit;font-family:inherit;vertical-align:middle;text-decoration:none;color:rgb(102,102,102);font-variant:inherit;line-height:inherit;display:inline-block;zoom:1;background-image:url(http://s.c.lnkd.licdn.com/scds/common/u/images/apps/profile/sprite/sprite_profile_top_card_v8.png);background-repeat:no-repeat no-repeat" target="_blank">at.linkedin.com/in/mohamnag/</a></dd>
</dl></li></ul></div></div></div>
<br><br><div class="gmail_quote">On Wed, Jan 29, 2014 at 2:02 PM, Erwin Rennert <span dir="ltr"><<a href="mailto:rennert@zsi.at" target="_blank">rennert@zsi.at</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="HOEnZb"><div class="h5">On 01/29/2014 01:41 PM, Mohammad Naghavi wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi everybody,<br>
I'm new to owncloud and just started using it since two days but I just<br>
found out that I have been just attacked. they are trying requests<br>
similar to the following with different target urls:<br>
<br>
<br>
quest: "POST<br>
/cgi-bin/php4?%2D%64+%61%6C%<u></u>6C%6F%77%5F%75%72%6C%5F%69%6E%<u></u>63%6C%75%64%65%3D%6F%6E+%2D%<u></u>64+%73%61%66%65%5F%6D%6F%64%<u></u>65%3D%6F%66%66+%2D%64+%73%75%<u></u>68%6F%73%69%6E%2E%73%69%6D%75%<u></u>6C%61%74%69%6F%6E%3D%6F%6E+%<u></u>2D%64+%64%69%73%61%62%6C%65%<u></u>5F%66%75%6E%63%74%69%6F%6E%73%<u></u>3D%22%22+%2D%64+%6F%70%65%6E%<u></u>5F%62%61%73%65%64%69%72%3D%6E%<u></u>6F%6E%65+%2D%64+%61%75%74%6F%<u></u>5F%70%72%65%70%65%6E%64%5F%66%<u></u>69%6C%65%3D%70%68%70%3A%2F%2F%<u></u>69%6E%70%75%74+%2D%64+%63%67%<u></u>69%2E%66%6F%72%63%65%5F%72%65%<u></u>64%69%72%65%63%74%3D%30+%2D%<u></u>64+%63%67%69%2E%72%65%64%69%<u></u>72%65%63%74%5F%73%74%61%74%75%<u></u>73%5F%65%6E%76%3D%30+%2D%6E<br>
HTTP/1.1", host: "<br>
XXX.XXX.XXX.XXX"<br>
<br>
which decodes to:<br>
<br>
quest: "POST /cgi-bin/php4?-d allow_url_include=on -d safe_mode=off -d<br>
suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d<br>
auto_prepend_file=php://input -d cgi.force_redirect=0 -d<br>
cgi.redirect_status_env=0 -n HTTP/1.1", host: "XXX.XXX.XXX.XXX"<br>
<br>
I'm using OC 6.0.1 and I want to know if my server is prone to such<br>
attacks or not.<br>
</blockquote>
<br></div></div>
See <a href="http://security.stackexchange.com/questions/46566/protect-against-post-cgi-bin-php-attacks" target="_blank">http://security.stackexchange.<u></u>com/questions/46566/protect-<u></u>against-post-cgi-bin-php-<u></u>attacks</a><br>
<br>
Your server is prone to such attacks, if it uses cgi-bin directives in it's apache configuration. This is an apache configuration issue, not specifically OwnCloud.<br>
<br>
Good luck;<br>
Erwin<br>
<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
regards,<br>
Mohammad<br>
<br>
!DSPAM:52e8f76916541752919656!<br>
<br>
<br>
______________________________<u></u>_________________<br>
Owncloud mailing list<br>
<a href="mailto:Owncloud@kde.org" target="_blank">Owncloud@kde.org</a><br>
<a href="https://mail.kde.org/mailman/listinfo/owncloud" target="_blank">https://mail.kde.org/mailman/<u></u>listinfo/owncloud</a><br>
<br>
<br>
!DSPAM:52e8f76916541752919656!<br>
<br>
</blockquote>
<br>
<br>
-- <br>
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br>
Erwin Rennert, IT Services<br>
Center for Social Innovation<br>
<br>
A-1150 Wien, Linke Wienzeile 246<br>
Austria, Europe<br>
<br>
Phone: <a href="tel:%2B%2B43-1-495%2004%2042%20-%2061" value="+431495044261" target="_blank">++43-1-495 04 42 - 61</a><br>
Facsimile: <a href="tel:%2B%2B43-1-495%2004%2042%20-%2040" value="+431495044240" target="_blank">++43-1-495 04 42 - 40</a><br>
<a href="http://www.zsi.at/" target="_blank">http://www.zsi.at/</a><br>
<br>
______________________________<u></u>_________________<br>
Owncloud mailing list<br>
<a href="mailto:Owncloud@kde.org" target="_blank">Owncloud@kde.org</a><br>
<a href="https://mail.kde.org/mailman/listinfo/owncloud" target="_blank">https://mail.kde.org/mailman/<u></u>listinfo/owncloud</a><br>
</blockquote></div><br></div>