Possible widespread PHP configuration issue - security risk

Cliff Wells cliff at develix.com
Fri Aug 27 21:30:43 MSD 2010

On Fri, 2010-08-27 at 11:13 -0600, Adam Younce wrote:
> Gentlemen, please. Let's keep this civil.
> The simplest solution to the problem presented would be to change the
> wiki to encourage users to set their upload directory to a location
> not served by nginx (and thus not executable by PHP). This is
> *entirely* a PHP configuration issue.

This won't work for most canned applications (Wordpress, MediaWiki, et
al) since uploads are done via PHP.

I don't think anyone is arguing that this is an Nginx issue.  The
concern is that information is being disseminated via the wiki that
defaults to exposing this hole in PHP and hence lots of Nginx+PHP users
are undoubtedly vulnerable.

I think the best course of action is to get Ed's explanation of the
issue onto the wiki, add a link from each and every PHP config back to
it along with a request that someone who actually uses that config to
verify that it is not vulnerable (or apply a fix if it is) and update
the wiki.   If we can't get that to happen then we deserve what we get.


More information about the nginx mailing list