Description
NGINX Plus includes the ngx_http_api_module module, which provides a REST API for real-time monitoring and configuration management, including the ability to view status information, modify upstream server groups, and manage key-value pairs without reloading the server.
This vulnerability occurs when the NGINX Plus API is exposed without authentication controls and configured with read-write permissions. This allows any network-accessible user to interact with the API and modify the NGINX Plus configuration dynamically. The lack of access restrictions on this sensitive management interface creates a significant security risk.
Remediation
Implement access controls to restrict the NGINX Plus API interface to authorized users and networks only. Follow these steps:
1. Restrict API access by IP address:
Configure the API location block to allow access only from trusted IP addresses or networks:
location /api {
api write=on;
allow 10.0.0.0/8; # Allow internal network
allow 192.168.1.100; # Allow specific admin IP
deny all; # Deny all other access
}2. Implement authentication:
Add HTTP Basic Authentication to the API endpoint:
location /api {
api write=on;
auth_basic "NGINX Plus API";
auth_basic_user_file /etc/nginx/.htpasswd;
allow 10.0.0.0/8;
deny all;
}3. Consider setting the API to read-only mode if write access is not required:
location /api {
api write=off; # Read-only mode
# ... access controls ...
}4. Use HTTPS:
Ensure the API is only accessible over encrypted connections to protect credentials and sensitive data in transit.
5. Monitor API access:
Enable logging for the API endpoint to detect unauthorized access attempts.
References
Related Vulnerabilities
WordPress Plugin Customer Reviews for WooCommerce Multiple Vulnerabilities (5.3.5)
WordPress Plugin wp superb Slideshow Information Disclosure (2.4)
WordPress Plugin Log Emails Information Disclosure (1.0.6)
WordPress Plugin SSL Insecure Content Fixer Information Disclosure (2.0.0)
WordPress Plugin WordPress Social Stream Information Disclosure (1.6)