Nginx+Php-fpm Dangerous Bug

Edho Arief edho at
Sat Dec 3 09:04:52 UTC 2011

On Sat, Dec 3, 2011 at 3:26 PM, escavern <nginx-forum at> wrote:
> This is very dangerous Remote File Inclusion Bug in Nginx+php-fpm
> The Nginx+php-fpm shows dangerous bug because its allowed the PhpShell
> hidden in Image to Running,
> if you have php script like this:
> ------------------------------------------------------------------------------------------------------------
> <?php
>    $rfi = $_GET['call'];
>    include($rfi);
> ?> must be kidding me. That's like asking why you get sql
injection when you have code like this: mysql_query("select * from
users where username = '$_GET['user']'").


echo file_get_contents($rfi);

instead. Note that even with this someone can set parameter to
something like "../index.php" and with sufficient effort might be able
to locate your database etc (or your /etc/passwd). Something like

echo file_get_contents('./uploaddir/'.basename($rfi));

Is much better. Note that I'm not sufficiently knowledgeable in php so
the recommendation above might still be insecure.

Apache has more hand-holding feature which is why it doesn't work.

O< ascii ribbon campaign - stop html mail -

More information about the nginx mailing list