Nginx+Php-fpm Dangerous Bug

escavern nginx-forum at
Sat Dec 3 08:26:31 UTC 2011

This is very dangerous Remote File Inclusion Bug in Nginx+php-fpm
The Nginx+php-fpm shows dangerous bug because its allowed the PhpShell
hidden in Image to Running,

if you have php script like this:

    $rfi = $_GET['call'];

and the Php-shell formed in image(jpg/gif) can be executed to running
with command like this
but it doesnt affect when i tried on Apache

as an example you can see here: <------------ using NGINX and
phpshell executed

and <---------------- using Apace and
phpshell unable to executed

someone told me i should use: 
1.try_files $uri =404;  or this: 
2.if (!-f $request_filename) { return 404; } or this
5.Igor sysoev tips :,88845,88858#msg-88858
but all of them won't work, i still can access  and the phpshell still

im using Nginx 0.8.53 and php-fpm i got my website hacked 3 times by
this bug
i hope someone knows what to do with this situation because i think this
is serious bug and there will be many victims if this thing not solved.


Please give me solution. thanks

Posted at Nginx Forum:,219532,219532#msg-219532

More information about the nginx mailing list