nginx 0day exploit for nginx + fastcgi PHP

Reinis Rozitis r at
Fri Feb 17 16:40:05 UTC 2012

> Seriously if it doesn't works for lighttppd that use php fcgi and works
> for nginx it is nginx issue isn't it ?

With certain configuration similar issues are also in apache but it doesn't necessary mean the webserver is at fault.

Since php 5.3.9 the fpm sapi has 'security.limit_extensions'  (defaults to '.php') which limits the extensions of the main script 
FPM will allow to parse.
It should prevent poor configuration mistakes.


More information about the nginx mailing list