Security Risk

Jim Ohlstein jim.ohlstein at gmail.com
Sat Feb 14 04:38:11 MSK 2009


How are you handling php files in your config file? They shouldn't be served as text. Are you using php-fcgi?

Once you have that sorted out, you can use a rewrite something like:

location /path/to/phymyadmin/	{
	if ( $uri !~ .*\.php$" )  {
		rewrite  ^/(.*)$ /index.php  last;
	}
}

I think that should work to rewrite every non-php request to the index page.

Alternatively you can delete the readme file and other similar non-essential files.


> -----Original Message-----
> From: owner-nginx at sysoev.ru [mailto:owner-nginx at sysoev.ru] On Behalf Of
> Stefan Scott
> Sent: Friday, February 13, 2009 7:56 PM
> To: nginx at sysoev.ru
> Subject: Security Risk
> 
> Yeah, this "solution" is definitely a security risk.
> 
> I just did some testing, and I'm able to open *any* file in
> /home/myname/sources/phpmyadmin.
> 
> For example, if I point the browser at:
> 
>   http://mydom.myhost.com/phpmyadmin/index.php
> 
> then Firefox offers to download the index.php file.
> 
> If I point the browser at:
> 
>   http://mydom.myhost.com/phpmyadmin/README
> 
> then it displays the README file in the browser, etc.
> 
> So this is not good.
> 
> How do I set up my directories and my nginx.conf file so that people
> can
> browse to a site like:
> 
>   http://mydom.myhost.com/mysub-url
> 
> without exposing all the files in the directory $root/mysub-url?
> 
> Thanks.
> 
> --
> Posted via http://www.ruby-forum.com/.






More information about the nginx mailing list