CVE-2018-9230

Name of the Vulnerable Software and Affected Versions OpenResty versions 1.13.6.1 and earlier

Description The issue arises from how OpenResty obtains URI parameters using the ngx.req.get uri args and ngx.req.get post args functions, which ignore parameters beyond the hundredth one. This might allow remote attackers to bypass intended access restrictions or interfere with certain Web Application Firewall products, such as ngx lua waf or X-WAF. However, the vendor considers this a default setting that is adjustable within the API and views any security-relevant misuse of the API by a WAF product as a vulnerability in the WAF product, not in OpenResty.

Recommendations For OpenResty versions 1.13.6.1 and earlier, consider adjusting the parameter limit within the API to prevent potential bypass of access restrictions. As a temporary workaround, restrict the use of the ngx.req.get uri args and ngx.req.get post args functions to minimize the risk of exploitation.