nginx 0day exploit for nginx + fastcgi PHP

Igor Sysoev igor at
Fri May 21 21:33:02 MSD 2010

On Fri, May 21, 2010 at 10:07:00AM -0700, Avleen Vig wrote:

> This is currently doing the rounds, so I thought it pertinent to post
> it here too.
> I don't know what nginx should do to fix this, but there are two
> workarounds given.
> If you allow file uploads (especially things like images) and use PHP
> FastCGI in the back end, you should take a loot at this now.
> The exploit allows for any arbitrary file which is uploaded, to be
> executed as PHP.

I do not see why this is treated as nginx bug ?
Why is anyone able at all to upload images to /scripts directory ?
Why does PHP have cgi.fix_pathinfo option ?
BTW, I'm just curious how does lighttpd resolve this issue ?

Also instead of

if ( $fastcgi_script_name ~ \..*\/.*php ) {
    return 403;

it should be worked around as

location ~ \..*/.*\.php$ {
    return 403;

location ~ \.php$ {
    return 403;

Igor Sysoev

More information about the nginx mailing list