Results 1 to 3 of 3
Thread: nginx+php-cgi security alert
-
05-20-2010, 11:59 PM #1Web Hosting Master
- Join Date
- Jun 2004
- Location
- Oregon
- Posts
- 1,315
nginx+php-cgi security alert
original post http://www.80sec.com/nginx-securit.html
simple translation:
if you set up your nginx+php-cgi using configuration like this
location ~ \.php$ {
root html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
include fastcgi_params;
}
uri would be /80sec.jpg/80sec.php
SCRIPT_FILENAME would be /scripts/80sec.jpg/80sec.php
if fix_pathinfo is enable(most likely is)
SCRIPT_FILENAME would become /scripts/80sec.jpg and PATH_INFO would become 80sec.php
/scripts/80sec.jpg would become the request processed by php
means someone can upload a jpg and have it executed as php.
quick fix: set cgi.fix_pathinfo = 0 in php.ini
or
if ( $fastcgi_script_name ~ \..*\/.*php ) {
return 403;
}
-
05-22-2010, 06:52 PM #2WHT Addict
- Join Date
- Nov 2009
- Location
- /usr/home/n3r0x
- Posts
- 110
Thanks for the heads up..=)
Testing nginx with php-fpm on my dell 2650 right now..
-
05-22-2010, 09:50 PM #3Web Hosting Master
- Join Date
- Jan 2008
- Location
- Europe
- Posts
- 779
Confirmed in nginx v0.7.65. (And PHP v5.3.2 with Suhosin patch and extension).
Last edited by sam0; 05-22-2010 at 10:00 PM.
Similar Threads
-
Security Problem when php run as cgi or suphp !!
By ktjm in forum Hosting Security and TechnologyReplies: 3Last Post: 09-02-2008, 11:57 PM -
Security Alert! The PHP CGI cannot be accessed directly.
By slice16 in forum Hosting Security and TechnologyReplies: 4Last Post: 05-02-2005, 08:07 AM -
Security Alert! The PHP CGI cannot be accessed directly.
By milkmycow in forum Hosting Security and TechnologyReplies: 11Last Post: 08-02-2004, 12:13 AM -
PHP and CGI security
By motl in forum Hosting Security and TechnologyReplies: 10Last Post: 10-06-2003, 04:35 AM -
RaQ4i Security php, cgi, asp
By LBJ in forum Dedicated ServerReplies: 0Last Post: 10-21-2001, 08:22 AM