nginx 0day exploit for nginx + fastcgi PHP

Eren Türkay eren at
Tue May 25 19:43:14 MSD 2010

On Fri, May 21, 2010 at 10:27:14AM -0700, Avleen Vig wrote:
> I should add that this isn't a bug in the traditional broken-code sense.
> More that this is a gaping configuration hole which is now widely
> published, and could lead to many people being exploited.

Can anyone clarify the proposed solution for the problem? I'm confused
about the issue, and the rest of the topic apart from discussing
"fix_pathinfo" option is about nginx configuration and regex problems.

So, what does "cgi.fix_pathinfo = 0" stand for and how users are
advised to take action? It would be really pleasant to get a simple and
clarifying explanation.


More information about the nginx mailing list