Vulnerability in "Proxy Everything" (Wiki article Pitfalls)

Lukas0907 nginx-forum at
Tue Mar 8 17:33:47 MSK 2011


I discovered a vulnerability in your best practice wiki article:

The configuration which is promoted as "good" doesn't work as intended:

server {
    server_name _;
    root /var/www/site;
    location / {
        try_files $uri $uri/ @proxy;
    location @proxy {
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME
        fastcgi_pass unix:/tmp/phpcgi.socket;

try_files checks if a file exists and if it does, it is simply returned
to the browser. This is a good thing for static files, but with this
configuration PHP files are not parsed.

$ curl -i http://foo.lan/info.php
HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Tue, 08 Mar 2011 14:08:07 GMT
Content-Type: application/octet-stream
Content-Length: 20
Last-Modified: Tue, 08 Mar 2011 13:05:32 GMT
Connection: keep-alive
Accept-Ranges: bytes

<?php phpinfo(); ?>

The configuration works, i.e. the PHP files are parsed, only in one
case: If nginx believes the files does not exist (although it does) and
handles the request to the FastCGI instance.

C:\Users\Lukas>curl -i http://foo.lan/info.php/asdf
HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Tue, 08 Mar 2011 14:21:17 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.5-1 <-------- This file was parsed by PHP as


Posted at Nginx Forum:,181274,181274#msg-181274

More information about the nginx mailing list