Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NGINX HTTP Response Splittng for Multisites running in subdirectories #1548

Open
zak-wearecore opened this issue Oct 21, 2024 · 1 comment
Open

NGINX HTTP Response Splittng for Multisites running in subdirectories #1548

zak-wearecore opened this issue Oct 21, 2024 · 1 comment
Labels
bug

Comments

@zak-wearecore
Copy link

Version

1.23.0

What did you expect to happen?

A pass when running a detectify scan on our multisite.

Upon investigation it appears the multisite config in roles/wordpress-setup/templates/wordpress-site.conf.j2 is out of date with the current Wordpress recommendation for multisite. I believe line 69:

rewrite /wp-admin$ $scheme://$host$request_uri/ permanent;

should be:

rewrite /wp-admin$ $scheme://$host$request_uri/ permanent;

I also found this mentioned here: yandex/gixy#77

What actually happens?

Detectify raises a "Wordpress / NGINX HTTP Response Splitting" issue.

Steps to reproduce

  1. Setup a new trellis install with multisite running via subdirectories
  2. Run a detectify scan
  3. Observe the results

Also:

  1. Setup a new trellis install with multisite running via subdirectories
  2. Visit https://mydomain.com/wp/%0d%0asplitting/wp-admin

System info

No response

Log output

No response

Please confirm this isn't a support request.

Yes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zak-wearecore and others