Nginx warning: using uninitialized "x" variable while logging request

By Richard in Nginx, Sysadmin · 1 min read
Nginx warning: using uninitialized "x" variable while logging request

Recently, when checking nginx's log, I found a very strange log, so I tried my best to check it.

This is nginx's error_log:

2022/01/08 11:20:42 [warn] 17711#17711: *7482384 using uninitialized "server" variable while logging request, client: 45.135.xxx.xx6, server: 127.0.0.1, request: "GET /node_modules/../../../../../etc/passwd HTTP/1.1"

This same as the server is under attack? The hacker seems to be trying to probe the vulnerability to find a file system access vulnerability.

Reproduction

This is my nginx.conf configuration:

server {
  set $forward_scheme http;
  set $server "127.0.0.1";
  set $port 1111;
  listen 80;
  listen [::]:80;
  server_name domain.com;
  access_log /data/logs/proxy-host_access.log proxy;
  error_log /data/logs/proxy-host_error.log warn;

  location / {
    # Proxy!
    include conf.d/include/proxy.conf;
  }
}

Trigger condition:

To recreate this error, run this command:

$ echo 'GET /node_modules/../../../../../etc/passwd HTTP/1.1
Host: domain.com

' | openssl s_client -quiet -connect domain.com 2>/dev/null

Then you can check nginx's error_log, the log of using uninitialized “server” variable while logging request will be recorded in the error_log.

Reason

Although the variables set by set are global variables, if there is no assignment to the global variables set by set in each location, they are also undefined variables. If used, a warning will be triggered.

TAGGED IN
Nginx Sysadmin