nginx 0day exploit for nginx + fastcgi PHP

Avleen Vig avleen at
Fri May 21 21:27:14 MSD 2010

On Fri, May 21, 2010 at 10:07 AM, Avleen Vig <avleen at> wrote:
> This is currently doing the rounds, so I thought it pertinent to post
> it here too.
> I don't know what nginx should do to fix this, but there are two
> workarounds given.
> If you allow file uploads (especially things like images) and use PHP
> FastCGI in the back end, you should take a loot at this now.
> The exploit allows for any arbitrary file which is uploaded, to be
> executed as PHP.

I should add that this isn't a bug in the traditional broken-code sense.
More that this is a gaping configuration hole which is now widely
published, and could lead to many people being exploited.

More information about the nginx mailing list