Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : nginx+php-cgi security alert

[CNSERVERS]

original post http://www.80sec.com/nginx-securit.html

simple translation:


if you set up your nginx+php-cgi using configuration like this

Quote:

location ~ \.php$ {
root html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
include fastcgi_params;
}

when someone request http://address/80sec.jpg/80sec.php

uri would be /80sec.jpg/80sec.php

SCRIPT_FILENAME would be /scripts/80sec.jpg/80sec.php

if fix_pathinfo is enable(most likely is)

SCRIPT_FILENAME would become /scripts/80sec.jpg and PATH_INFO would become 80sec.php

/scripts/80sec.jpg would become the request processed by php

means someone can upload a jpg and have it executed as php.

quick fix: set cgi.fix_pathinfo = 0 in php.ini

or

Quote:

if ( $fastcgi_script_name ~ \..*\/.*php ) {
return 403;
}

other webservers such as lighttpd doesn't have this problem so nginx probably needs to address this.

[n3r0x]

Thanks for the heads up..=)
Testing nginx with php-fpm on my dell 2650 right now..

[sam0]

Confirmed in nginx v0.7.65. (And PHP v5.3.2 with Suhosin patch and extension).