Results 1 to 3 of 3
  1. #1
    Join Date
    Jun 2004
    Location
    Oregon
    Posts
    1,273

    nginx+php-cgi security alert

    original post http://www.80sec.com/nginx-securit.html

    simple translation:


    if you set up your nginx+php-cgi using configuration like this

    location ~ \.php$ {
    root html;
    fastcgi_pass 127.0.0.1:9000;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
    include fastcgi_params;
    }
    when someone request http://address/80sec.jpg/80sec.php

    uri would be /80sec.jpg/80sec.php

    SCRIPT_FILENAME would be /scripts/80sec.jpg/80sec.php

    if fix_pathinfo is enable(most likely is)

    SCRIPT_FILENAME would become /scripts/80sec.jpg and PATH_INFO would become 80sec.php

    /scripts/80sec.jpg would become the request processed by php

    means someone can upload a jpg and have it executed as php.

    quick fix: set cgi.fix_pathinfo = 0 in php.ini

    or

    if ( $fastcgi_script_name ~ \..*\/.*php ) {
    return 403;
    }
    other webservers such as lighttpd doesn't have this problem so nginx probably needs to address this.

  2. #2
    Join Date
    Nov 2009
    Location
    /usr/home/n3r0x
    Posts
    110
    Thanks for the heads up..=)
    Testing nginx with php-fpm on my dell 2650 right now..

  3. #3
    Join Date
    Jan 2008
    Location
    England
    Posts
    538
    Confirmed in nginx v0.7.65. (And PHP v5.3.2 with Suhosin patch and extension).
    Last edited by sam0; 05-22-2010 at 10:00 PM.

  4. Newsletters

    Subscribe Now & Get The WHT Quick Start Guide!

Similar Threads

  1. Security Problem when php run as cgi or suphp !!
    By ktjm in forum Hosting Security and Technology
    Replies: 3
    Last Post: 09-02-2008, 11:57 PM
  2. Security Alert! The PHP CGI cannot be accessed directly.
    By slice16 in forum Hosting Security and Technology
    Replies: 4
    Last Post: 05-02-2005, 08:07 AM
  3. Security Alert! The PHP CGI cannot be accessed directly.
    By milkmycow in forum Hosting Security and Technology
    Replies: 11
    Last Post: 08-02-2004, 12:13 AM
  4. PHP and CGI security
    By motl in forum Hosting Security and Technology
    Replies: 10
    Last Post: 10-06-2003, 04:35 AM
  5. RaQ4i Security php, cgi, asp
    By LBJ in forum Dedicated Server
    Replies: 0
    Last Post: 10-21-2001, 08:22 AM

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •