During my reconnaissance for your bug bounty program, I discovered an instance of nginx version 1.4.6 running at the IP address https://54.153.101.52. To locate it, I search for IRCCloud-related certificated and found the self-signed certificate for this server (https://censys.io/ipv4/54.153.101.52). This version is in the range of nginx versions affected by the CVE, CVE-2014-0133. There is a known exploit for this CVE. According to MITRE, this βheap-based buffer overflow in the SPDY implementation in nginx 1.3.15 before 1.4.7 and 1.5.x before 1.5.12 allows remote attackers to execute arbitrary code via a crafted request.β
{F120380}
However, to succeed, I believe that the exploit requires the ngx_http_spdy_module module (which is not compiled by default) and it requires no --with-debug configure option, if the βspdyβ option of the βlistenβ directive is used in a configuration file. Because I am unable to check the configuration of your server, I wanted to inform you of this outdated version.
Regardless, this is a very outdated version of nginx that should likely be updated to the most recent version if you intend to keep if publicly-exposed. This would correct the vulnerability (if it is vulnerable). Alternatively, if you only want to correct the vulnerability, you can use the patch below:
--- src/http/ngx_http_spdy.c
+++ src/http/ngx_http_spdy.c
@@ -1849,7 +1849,7 @@ static u_char *
ngx_http_spdy_state_save(ngx_http_spdy_connection_t *sc,
u_char *pos, u_char *end, ngx_http_spdy_handler_pt handler)
{
-#if (NGX_DEBUG)
+#if 1
if (end - pos > NGX_SPDY_STATE_BUFFER_SIZE) {
ngx_log_error(NGX_LOG_ALERT, sc->connection->log, 0,
"spdy state buffer overflow: "
Source: https://nginx.org/download/patch.2014.spdy2.txt
Best,
@n0rb3r7