October 2013 ngx_pagespeed Security Update.

Overview

All versions of ngx_pagespeed prior to 1.6.29.7 are subject to critical cross-site scripting (XSS) vulnerability CVE-2013-6111. Depending on configuration this may permit a hostile third party to execute JavaScript in users' browsers in the context of the domain running ngx_pagespeed, which could permit theft of users' cookies or data on the site.

Because of the severity of the problem, users of affected versions are strongly encouraged to immediately update ngx_pagespeed or apply the workaround below.

To be notified of further security updates subscribe to the announcements mailing list.

Solutions

Users of affected versions should either apply the workaround or update to version 1.6.29.7 or later.

Workaround

The vulnerability requires access to /ngx_pagespeed_statistics, /ngx_pagespeed_global_statistics, or /ngx_pagespeed_message. Prohibiting access to these in your nginx.conf is sufficient to keep it from being exploited. Note that it is not enough to restrict these pages to trusted users; they must not be accessible to anyone. Example workaround configuration:

location /ngx_pagespeed_statistics { deny all; }
location /ngx_pagespeed_global_statistics { deny all; }
location /ngx_pagespeed_message { deny all; }

While ngx_pagespeed and mod_pagespeed are very similar, this workaround is not sufficient for mod_pagespeed. If you also run PageSpeed in Apache please follow the recommendations in the October 2013 mod_pagespeed Security Update.

Update

Users unable to apply the workaround, or who want continued access to the informational data provided by /ngx_pagespeed_statistics or /ngx_pagespeed_message should update to an unaffected version. This requires building nginx with the updated ngx_pagespeed module and installing it in place of the current version. See the build instructions.

Users having difficulty applying these updates or with other questions should write to the discussion group.