NGINX HTTP Response Splittng for Multisites running in subdirectories

[zak-wearecore]

Version

1.23.0

What did you expect to happen?

A pass when running a detectify scan on our multisite.

Upon investigation it appears the multisite config in roles/wordpress-setup/templates/wordpress-site.conf.j2 is out of date with the current Wordpress recommendation for multisite. I believe line 69:

rewrite /wp-admin$ $scheme://$host$uri/ permanent;

should be:

rewrite /wp-admin$ $scheme://$host$request_uri/ permanent;

I also found this mentioned here: yandex/gixy#77

What actually happens?

Detectify raises a "Wordpress / NGINX HTTP Response Splitting" issue.

Steps to reproduce

1. Setup a new trellis install with multisite running via subdirectories
2. Run a detectify scan
3. Observe the results

Also:

1. Setup a new trellis install with multisite running via subdirectories
2. Visit https://mydomain.com/wp/%0d%0asplitting/wp-admin

System info

No response

Log output

No response

Please confirm this isn't a support request.

Yes

[swalkinshaw]

Thanks for the report. Seems like an easy fix; do you want to contribute the fix?