nginx 0day exploit for nginx + fastcgi PHP

zsero nginx-forum at
Tue Oct 30 17:01:58 UTC 2012

I know it's an old thread but my question really belongs to here.

1. Can you confirm that with recent PHP implementations (5.3.9+) this fix
isn't needed anymore?

2. Does it mean that some PHP implementations like the up-to-date ones in
DotDeb repository doesn't need it (PHP 5.4.8 and PHP 5.3.18), but Debian
stable still needs it (5.3.3-7+squeeze14)?


Reinis Rozitis Wrote:
> > Seriously if it doesn't works for lighttppd that use php fcgi and
> works
> > for nginx it is nginx issue isn't it ?
> With certain configuration similar issues are also in apache but it
> doesn't necessary mean the webserver is at fault.
> Since php 5.3.9 the fpm sapi has 'security.limit_extensions' 
> (defaults to '.php') which limits the extensions of the main script 
> FPM will allow to parse.
> It should prevent poor configuration mistakes.
> rr 
> _______________________________________________
> nginx mailing list
> nginx at

Posted at Nginx Forum:,88845,232398#msg-232398

More information about the nginx mailing list