October 2013 ngx_pagespeed Security Update.

Overview

All versions of ngx_pagespeed prior to 1.6.29.7 are subject to critical cross-site scripting (XSS) vulnerability CVE-2013-6111. Depending on configuration this may permit a hostile third party to execute JavaScript in users' browsers in the context of the domain running ngx_pagespeed, which could permit theft of users' cookies or data on the site.

Because of the severity of the problem, users of affected versions are stronglyencouraged to immediatelyupdate ngx_pagespeed or apply the workaround below.

To be notified of further security updates subscribe to the announcements mailing list .

Solutions

Users of affected versions should either apply the workaround or update to version 1.6.29.7 or later.

Workaround

The vulnerability requires access to /ngx_pagespeed_statistics , /ngx_pagespeed_global_statistics , or /ngx_pagespeed_message . Prohibiting access to these in your nginx.conf is sufficient to keep it from being exploited. Note that it is not enough to restrict these pages to trusted users; they must not be accessible to anyone. Example workaround configuration:

location /ngx_pagespeed_statistics { deny all; }
location /ngx_pagespeed_global_statistics { deny all; }
location /ngx_pagespeed_message { deny all; }

While ngx_pagespeed and mod_pagespeed are very similar, this workaround is not sufficient for mod_pagespeed. If you also run PageSpeed in Apache please follow the recommendations in the October 2013 mod_pagespeed Security Update .

Update

Users unable to apply the workaround, or who want continued access to the informational data provided by /ngx_pagespeed_statistics or /ngx_pagespeed_message should update to an unaffected version. This requires building nginx with the updated ngx_pagespeed module and installing it in place of the current version. See the build instructions .

Users having difficulty applying these updates or with other questions should write to the discussion group .