nginx 0day exploit for nginx + fastcgi PHP

gdork nginx-forum at
Thu Jan 27 07:07:09 MSK 2011

40 of my servers were compromised because of this issue and I just found
out about it...aarrrghhhh.
There are php cmd shell trojans everywhere now!

I was able to easily replicate this issue, and the cgi.fix_pathinfo=0
fix did NOT work on my systems.


location ~ \..*/.*\.php$ {
return 403;

Did solve the issue however.

It is VERY common for image hosting sites to allow file uploads to the
web directory.
Any can upload a php file as an image and immediately execute it.
nginx should NOT allow the fastcgi backend to execute code in a file
that does not even exist.

/blah/blah/virusimage.jpg/hello.php should never execute the hidden php
code inside the file virusimage.jpg
I wonder how many sites have been trojaned because of this.  Ive been
searching vulnerability databases for days and never came across this
nginx issue. :(

Posted at Nginx Forum:,88845,169953#msg-169953

More information about the nginx mailing list