BTW, mod_security it's available for Nginx at beta stage, it's a good deal install it and add OWASP core rules. For dynamic content, CMS like drupal, wordpress, joomla, etc, works better Atomicorp (GotRoot) rules for mod_security.
2014/1/20 Jorge SoydelBierzo <[email protected]> > Nweb is easily exploitable > > A simple petition like this crashs server: > > GET > /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > HTTP/1.0 > > It's also possible to hack core file using a special crafted petition, > using info gathered and metasploit to inject a shell using one of the linux > reverse payloads, giving access to your server with privileges from user > running the web server. > > Nweb is not for a production environment, better use Nginx without access > to cgi, php-fpm, etc. just for static content. > > > > 2014/1/20 Jonathan Wilkes <[email protected]> > >> Hi list, >> I'm thinking about setting up a slightly modified version of nweb as >> a Tor hidden service: >> http://www.ibm.com/developerworks/systems/library/es-nweb/index.html?ca= >> dat >> >> This is for fun, mostly just to learn some more about Tor hidden services >> and webservers. But it's got me wondering: has anyone done this yet? >> >> If not, I'm curious what kinds of attacks a security specialist sees with >> this setup if I just want to post something like the text of the Magna >> Carta. Especially-- are there simple attacks against such a naive >> webserver like this that nginx or other webservers run as a hidden service >> would prevent? >> >> Best, >> Jonathan >> -- >> Liberationtech is public & archives are searchable on Google. Violations >> of list guidelines will get you moderated: https://mailman.stanford.edu/ >> mailman/listinfo/liberationtech. Unsubscribe, change to digest, or >> change password by emailing moderator at [email protected]. >> > >
-- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
