Some security vulnerable

António P. P. Almeida appa at
Sun Jun 5 21:40:13 MSD 2011

On 5 Jun 2011 14h40 WEST, tomlove at wrote:

> On 5 June 2011 12:01, Kraiser <nginx-forum at> wrote:
>> What do you guys think about implement this into nginx just like it
>> is in apache?  if ( $fastcgi_script_name ~ \..*\/.*php ) { return
>> 403; } because without that some servers which allows to upload
>> images are vulnerable to external exploits.
> They're vulnerable because of bad site design and configuration
> (although I do think nginx's location parsing logic makes it
> uncomfortably easy to produce insecure configurations). Why not
> eliminate the vulnerability instead of hardening against it with
> more configuration? The .php match should not be attempted in any
> untrusted user-upload directory -- use sub-locations.

I agree. Either nested locations and/or enumeration of all PHP enabled
locations is the way to go. The above is just a stopgap for a proper
meaning secure, configuration.
--- appa

More information about the nginx mailing list