CVE-2018-9230

In OpenResty through 1.13.6.1, URI parameters are obtained using the ngx.req.get_uri_args and ngx.req.get_post_args functions that ignore parameters beyond the hundredth one, which might allow remote attackers to bypass intended access restrictions or interfere with certain Web Application Firewall (ngx_lua_waf or X-WAF) products. NOTE: the vendor has reported that 100 parameters is an intentional default setting, but is adjustable within the API. The vendor's position is that a security-relevant misuse of the API by a WAF product is a vulnerability in the WAF product, not a vulnerability in OpenResty

We have discovered 73,544 live websites that are affected by CVE-2018-9230.

Test my site



Affected Software

Product  OpenResty
Category Web Servers
Vulnerable Domains73,544 live websites (16.61% of OpenResty install base)
Vulnerable Versions
  • from 0 through 1.13.6.1
Vulnerable Versions Count19 versions ( 41.30% of all versions)



Details

  • Published - Apr 3, 2018
  • Updated - Aug 5, 2024

CVE-2018-9230 usage by Country

United States1,702 websites


Singapore70,161 websites
China649 websites
GB397 websites
Japan232 websites
India82 websites
Hungary69 websites
Canada64 websites
France30 websites

CVE-2018-9230 usage by TLD

.com53,236 websites
.org5,267 websites
.net4,098 websites
.info1,607 websites
.de909 websites
.co.uk775 websites
.co552 websites
.io470 websites
.it313 websites
.jp203 websites

Vulnerable Versions

Vulnerable versions are highlighted in red

Websites affected by CVE-2018-9230

Top websites that are affected by CVE-2018-9230. Please click on the "Contact us" link to get more information.
DomainCountryRankContacts
********.**.uk United States*,***
*************.**.com Singapore**,***
***.com Singapore**,***
***********.**.uk United States**,***
*************.com Singapore**,***
********.studio Singapore**,***
****.media Singapore**,***
**************.**.uk United States**,***
*************.org Singapore**,***
*******.**.uk United States**,***
See full domain list

FAQ

A total of 73,544 websites have been identified as vulnerable to CVE-2018-9230, discovered through global website indexing conducted by WebTechSurvey.
OpenResty is susceptible to CVE-2018-9230 vulnerability.
OpenResty versions before, and including, 1.13.6.1 are vulnerable to CVE-2018-9230.