Possible widespread PHP configuration issue - security risk
lists at wildgooses.com
Fri Aug 27 19:22:21 MSD 2010
Look, not had a lot of success raising this quietly. The Nginx wiki
has a number of very insecure PHP configuration suggestions. Anyone
using these example configurations should immediately review their
configuration and ensure that they aren't vulnerable to an upload attack
where uploaded files might be accidentally treated as executable files
The core of the problem is that most of the example configurations
enable php scripts in *all* directories on the server. Coupled with
relatively poor upload handling (in most PHP apps) and you have an
upload attack waiting to blow up on you.
Try the following:
1) PHP Uploads allows (erk...)
Create a file test.php containing:
<?php echo 'hello' ?>
Try and upload this. If you can then probably turn off the server until
you fix the issue...
The attack is to construct a URL which points to the uploads directory, eg:
2) JPG uploads allowed, and wildcard ~ .php execution allowed
Create a test file test.jpg as follows:
# echo -e "\xff\xd8\xff\xe0\n<?php echo 'hello'; ?>" > test.jpg
# file test.jpg
test.jpg: JPEG image data
Now try and upload this test.jpg file to your server. If it succeeds
then probably turn off the server until you fix the issue...
The attack is to construct a URL which points to the uploads directory
and then append /.php on the URL, eg
Under *certain* configurations (wildcard php without a specific
SCRIPT_URL set) this will cause the execution of test.jpg by the php
The correct solution is where possible:
- Enable PHP only on files in certain directories (if possible). Exclude
- Specifically disable (lots of) stuff on any upload locations!!
Remember configuration ordering in nginx puts regexp before named
locations (order is important)
- Use try_files and other techniques to additionally lock down uri to
- Check for any Apache .htaccess files shipped with your app and
translate to nginx config where appropriate (eg blocking certain
There are plenty of examples of dangerous configuration on the nginx
wiki. eg the Wordpress initially presented configuration seems
vulnerable, but further down that page a more secure config is presented:
The Media wiki example seems to show the same vulnerability:
Please just treat your uploads directory carefully. It's a huge attack
Any volunteers to help improve the Wiki? Anyone got some better example
configurations (which are secure)? I don't use most of the PHP apps
listed, so hard to test their configurations?
Note this is not a problem with Nginx, this is a *configuration issue*.
However, the docs recommend such an insecure default configuration that
there must surely be loads of people vulnerable here...
More information about the nginx