Possible widespread PHP configuration issue - security risk
lists at wildgooses.com
Fri Aug 27 21:28:23 MSD 2010
> The simplest solution to the problem presented would be to change the wiki to encourage users to set their upload directory to a location not served by nginx (and thus not executable by PHP). This is *entirely* a PHP configuration issue.
I *think* I'm right in saying this is going to be more down to
application support than a PHP issue? A few applications *do* move
their upload directory outside of the document path (Gallery 2 comes to
mind). However, the vast majority don't seem to. Further I don't see
how this can be changed in general since it would require the
application to then proxy all requests for those assets?
Mediawiki for example does it's best to parse uploads and check they are
safe, but after that it stuff them in the /images/ directory and leaves
it up to your webserver to serve them (which leaves open the possibility
that the webserver might inadvertently process them as some kind of cgi
or SSI or whatever)
> There are still dangers depending on what the application does with the uploaded files, but those exist no matter what. Making the change to the documentation to encourage this best practice should suffice for us.
Actually I believe we can do better...
The documentation bit is to warn users that SSI/CGI/dir listing/etc
should be disabled on any location that the users can upload to.
However, I think we can provide some default nginx config which does
I have already proposed by lame attempt at this, but I'm hoping someone
will show something much neater, possibly involving try_files and a @php
location? After that I think we have a great starting point for a
generic CGI entry and this can migrate to all the other wiki entries
Please don't forget about SSI and all other server side processing which
can be abused. ALL of this stuff should be turned off for untrusted
content in general. This isn't a new warning... It's just that most
config examples aren't showing how to do this for nginx (apache tends to
be the default)
More information about the nginx