Possible widespread PHP configuration issue - security risk
mike503 at gmail.com
Fri Aug 27 22:15:45 MSD 2010
On Fri, Aug 27, 2010 at 11:13 AM, Cliff Wells <cliff at develix.com> wrote:
> It is subtle, but all fixes are, because the underlying vulnerability is
> quite subtle. What user isn't going to look at that and say to
> themselves "why do I need this if statement?". Just use the try_files
> and add a comment to its purpose.
The caveat with try_files is it means nginx has filesystem access to
check the existence of the file and an additional stat call (or more)
- it can be in the open file cache, modern systems it's not a huge
deal, etc, etc.
But it won't help if you're fastcgi_pass to a remote server that nginx
does not have the same path to the file (or have access to the php
file) at all.
More information about the nginx