Possible widespread PHP configuration issue - security risk

[Ed W]

  Look, not had a lot of success raising this quietly.  The Nginx wiki 
has a number of very insecure PHP configuration suggestions.  Anyone 
using these example configurations should immediately review their 
configuration and ensure that they aren't vulnerable to an upload attack 
where uploaded files might be accidentally treated as executable files 
by nginx

The core of the problem is that most of the example configurations 
enable php scripts in *all* directories on the server.  Coupled with 
relatively poor upload handling (in most PHP apps) and you have an 
upload attack waiting to blow up on you.

Try the following:

1) PHP Uploads allows (erk...)

Create a file test.php containing:
<?php echo 'hello' ?>

Try and upload this.  If you can then probably turn off the server until 
you fix the issue...

The attack is to construct a URL which points to the uploads directory, eg:
     http://myserver/uploads/test.php


2) JPG uploads allowed, and wildcard ~ .php execution allowed

Create a test file test.jpg as follows:
     # echo -e "\xff\xd8\xff\xe0\n<?php echo 'hello'; ?>" > test.jpg
     # file test.jpg
     test.jpg: JPEG image data

Now try and upload this test.jpg file to your server.  If it succeeds 
then probably turn off the server until you fix the issue...

The attack is to construct a URL which points to the uploads directory 
and then append /.php on the URL, eg
     http://myserver/uploads/test.jpg/.php

Under *certain* configurations (wildcard php without a specific 
SCRIPT_URL set) this will cause the execution of test.jpg by the php 
interpreter


The correct solution is where possible:
- Enable PHP only on files in certain directories (if possible). Exclude 
upload dirs!
- Specifically disable (lots of) stuff on any upload locations!! 
Remember configuration ordering in nginx puts regexp before named 
locations (order is important)
- Use try_files and other techniques to additionally lock down uri to 
file mapping
- Check for any Apache .htaccess files shipped with your app and 
translate to nginx config where appropriate (eg blocking certain 
locations completely)

There are plenty of examples of dangerous configuration on the nginx 
wiki.  eg the Wordpress initially presented configuration seems 
vulnerable, but further down that page a more secure config is presented:
     http://wiki.nginx.org/Wordpress
The Media wiki example seems to show the same vulnerability:
     http://wiki.nginx.org/NginxMediaWiki

Please just treat your uploads directory carefully.  It's a huge attack 
vector.

Any volunteers to help improve the Wiki?  Anyone got some better example 
configurations (which are secure)? I don't use most of the PHP apps 
listed, so hard to test their configurations?

Note this is not a problem with Nginx, this is a *configuration issue*.  
However, the docs recommend such an insecure default configuration that 
there must surely be loads of people vulnerable here...

Cheers

Ed W