hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : nginx+php-cgi security alert
Reply

Forum Jump

nginx+php-cgi security alert

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old
Web Hosting Master
 
Join Date: Jun 2004
Location: Oregon
Posts: 1,236

nginx+php-cgi security alert


original post http://www.80sec.com/nginx-securit.html

simple translation:


if you set up your nginx+php-cgi using configuration like this
Quote:

location ~ \.php$ {
root html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
include fastcgi_params;
}
when someone request http://address/80sec.jpg/80sec.php

uri would be /80sec.jpg/80sec.php

SCRIPT_FILENAME would be /scripts/80sec.jpg/80sec.php

if fix_pathinfo is enable(most likely is)

SCRIPT_FILENAME would become /scripts/80sec.jpg and PATH_INFO would become 80sec.php

/scripts/80sec.jpg would become the request processed by php

means someone can upload a jpg and have it executed as php.

quick fix: set cgi.fix_pathinfo = 0 in php.ini

or

Quote:
if ( $fastcgi_script_name ~ \..*\/.*php ) {
return 403;
}
other webservers such as lighttpd doesn't have this problem so nginx probably needs to address this.



Sponsored Links
  #2  
Old
WHT Addict
 
Join Date: Nov 2009
Location: /usr/home/n3r0x
Posts: 110
Thanks for the heads up..=)
Testing nginx with php-fpm on my dell 2650 right now..

__________________
Webproxy with Swedish IP | Ziron Assembly - Simple yet powerful

Swedish Developer

  #3  
Old
Web Hosting Evangelist
 
Join Date: Jan 2008
Location: England
Posts: 534
Confirmed in nginx v0.7.65. (And PHP v5.3.2 with Suhosin patch and extension).


Last edited by sam0; 05-22-2010 at 10:00 PM.
Sponsored Links
Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
Security Problem when php run as cgi or suphp !! ktjm Hosting Security and Technology 3 09-02-2008 11:57 PM
Security Alert! The PHP CGI cannot be accessed directly. slice16 Hosting Security and Technology 4 05-02-2005 08:07 AM
Security Alert! The PHP CGI cannot be accessed directly. milkmycow Hosting Security and Technology 11 08-02-2004 12:13 AM
PHP and CGI security motl Hosting Security and Technology 10 10-06-2003 04:35 AM
RaQ4i Security php, cgi, asp LBJ Dedicated Server 0 10-21-2001 08:22 AM

Related posts from TheWhir.com
Title Type Date Posted
Security-as-a-Service Provider Alert Logic Announces Log Manager for Windows Azure, New UK VP of Sales Web Hosting News 2014-01-16 13:31:23
Nginx to be Included in Upcoming Ubuntu Release Web Hosting News 2014-01-08 15:17:12
Nginx Raises $10M to Extend Commercial Support Web Hosting News 2013-10-15 11:20:26
Alert Logic SaaS Security Solution Included in AWS Startup Package Web Hosting News 2013-10-10 12:25:42
nginx Version 1.4.0 Supports SPDY Protocol Web Hosting News 2013-04-29 15:08:14


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
WHT Host Brief Email:

We respect your privacy. We will never sell, rent, or give away your address to any outside party, ever.

Advertisement:
Web Hosting News:
WHT Membership
WHT Membership



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?