Possible widespread PHP configuration issue - security risk

Ed W lists at wildgooses.com
Fri Aug 27 21:33:23 MSD 2010


> Your situation number 2 is about path info which is enabled in PHP by
> default so that requests like
> http://mysite.com/chive/index.php/site/login
> will work.  Most web apps don't need the cgi.fix_pathinfo feature turned
> on.  Drupal, Wordpress use queries.  i.e.
> http://mysite.com/wordpress/index.php?q=/site/login
> Some things like chive need the path info feature, and so the PHP devs
> ship PHP with cgi.fix_pathinfo turned on by default, which leads to the
> vulnerability with common nginx configurations.  Luckily, nginx has
> support for pathinfo without enabling cgi.fix_pathinfo in php.  I noted
> the config above.

Thanks for clarifying this - I guess I didn't understand my own example 

This stuff is quite subtle - I hope we are getting somewhere towards a 
generic config starting point now...

> The only solution is to alert people to these complexities, and to
> update the sample configs on the wiki.  Unfortunately, there's about a
> thousand sample configs on the web which don't account for this issue.
> A page on the wiki specifically addressing upload directories and
> cgi.fix_pathinfo would also be a good idea.

Sounds excellent - I'm hoping some smarter folks can also suggest a 
baseline cgi config and then we have all the bits together?

Note some other smart people might point out that there are other nginx 
specific config that might usefully be applied to untrusted upload 
directories?  Anyone think of anything that might be missed along the 
SSI/directory listing line that could be abused?


Ed W

More information about the nginx mailing list