nginx 0day exploit for nginx + fastcgi PHP

Edho P Arief edhoprima at
Thu Jan 27 08:23:21 MSK 2011

On Thu, Jan 27, 2011 at 11:07 AM, gdork <nginx-forum at> wrote:
> 40 of my servers were compromised because of this issue and I just found
> out about it...aarrrghhhh.
> There are php cmd shell trojans everywhere now!
> I was able to easily replicate this issue, and the cgi.fix_pathinfo=0
> fix did NOT work on my systems.
> Adding:
> location ~ \..*/.*\.php$ {
> return 403;
> }

I believe one of the solution is adding

try_files $uri =403;

to the php block.

Other one is to allow php on specific directory/file only.
Other one is to disable php on user-upload directory by creating its
own location block.

And the other is to not use php at all :)

More information about the nginx mailing list