nginx 0day exploit for nginx + fastcgi PHP

Michael Shadle mike503 at
Thu Jan 27 09:04:19 MSK 2011

On Wed, Jan 26, 2011 at 9:23 PM, Edho P Arief <edhoprima at> wrote:

> I believe one of the solution is adding
> try_files $uri =403;

It adds another stat call or two but I believe it's acceptable (and
the stat calls are cached using open_file_cache

> And the other is to not use php at all :)


You can also use something Igor had mentioned using named captures:

location ~ ^(?<script>.+\.php)(?<path_info>.*)$ {
... other fastcgi params ...
        fastcgi_param SCRIPT_FILENAME  $document_root$script;

More information about the nginx mailing list