Possible widespread PHP configuration issue - security risk

zuborg nginx-forum at nginx.us
Fri Aug 27 19:47:47 MSD 2010

http://myserver/uploads/test.jpg/.php - this attack relyes on some
php-fcgi feature ?

I don't think it will work on 'proxy_pass' to Apache

Actually, there is difference between
location ~ .php$ { }
location ~ .php {}

Last one will match 'test.php.jpg', but Apache will still handle such
file as image/jpeg, so 'fastcgi_pass' is  still required to exploit such

It also applyes to first exploit too - most installations forbid access
to *.php files in upload/ dir by .htaccess, so 'proxy_pass' will return
403 in most cases.

But, again, people using 'fastcgi_pass' should take a look at their
configs, they really may be vulnerable.

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,124297,124308#msg-124308

More information about the nginx mailing list