Security Risk
Igor Sysoev
is at rambler-co.ru
Sat Feb 14 14:59:24 MSK 2009
On Fri, Feb 13, 2009 at 08:38:11PM -0500, Jim Ohlstein wrote:
> How are you handling php files in your config file? They shouldn't be served as text. Are you using php-fcgi?
>
> Once you have that sorted out, you can use a rewrite something like:
>
> location /path/to/phymyadmin/ {
> if ( $uri !~ .*\.php$" ) {
> rewrite ^/(.*)$ /index.php last;
> }
> }
There is much better way to this:
location /path/to/phymyadmin/ {
rewrite ^/(.*)$ /index.php last;
}
location /path/to/phymyadmin/.+\.php$ {
...
}
> I think that should work to rewrite every non-php request to the index page.
>
> Alternatively you can delete the readme file and other similar non-essential files.
>
>
> > -----Original Message-----
> > From: owner-nginx at sysoev.ru [mailto:owner-nginx at sysoev.ru] On Behalf Of
> > Stefan Scott
> > Sent: Friday, February 13, 2009 7:56 PM
> > To: nginx at sysoev.ru
> > Subject: Security Risk
> >
> > Yeah, this "solution" is definitely a security risk.
> >
> > I just did some testing, and I'm able to open *any* file in
> > /home/myname/sources/phpmyadmin.
> >
> > For example, if I point the browser at:
> >
> > http://mydom.myhost.com/phpmyadmin/index.php
> >
> > then Firefox offers to download the index.php file.
> >
> > If I point the browser at:
> >
> > http://mydom.myhost.com/phpmyadmin/README
> >
> > then it displays the README file in the browser, etc.
> >
> > So this is not good.
> >
> > How do I set up my directories and my nginx.conf file so that people
> > can
> > browse to a site like:
> >
> > http://mydom.myhost.com/mysub-url
> >
> > without exposing all the files in the directory $root/mysub-url?
> >
> > Thanks.
> >
> > --
> > Posted via http://www.ruby-forum.com/.
>
--
Igor Sysoev
http://sysoev.ru/en/
More information about the nginx
mailing list