Stephen J. Turnbull writes:
Hagen Bauer writes:
So the public does not see the credentials. And if my nginx host config is hacked I have a problem anyway.
I can't speak for Abhilash, but what would worry me is not that nginx is already hacked,
Urk. nginx may be *already* hacked. Via Twitter:
http://twitter.com/x0rz/status/1052899891624710145
Note: I originally saw this via Brian Krebs, but his tweet seems to have been deleted (the corresponding /briankrebs/status/... URL 404s), and comments on his tweet indicate that some attempts to replicate failed. So this may be a particular version, an already-fixed bug, or a red team fail. x0rz is a pretty reliable red-teamer, but I don't know anything about orange_8361 (the 0-day reporter). S/he may have only reported publicly after giving nginx plenty of time to fix and for the fix to propagate, or it may just be a screwup on her/his part.
Steve