Security Risk
Jim Ohlstein
jim.ohlstein at gmail.com
Sat Feb 14 04:38:11 MSK 2009
How are you handling php files in your config file? They shouldn't be served as text. Are you using php-fcgi?
Once you have that sorted out, you can use a rewrite something like:
location /path/to/phymyadmin/ {
if ( $uri !~ .*\.php$" ) {
rewrite ^/(.*)$ /index.php last;
}
}
I think that should work to rewrite every non-php request to the index page.
Alternatively you can delete the readme file and other similar non-essential files.
> -----Original Message-----
> From: owner-nginx at sysoev.ru [mailto:owner-nginx at sysoev.ru] On Behalf Of
> Stefan Scott
> Sent: Friday, February 13, 2009 7:56 PM
> To: nginx at sysoev.ru
> Subject: Security Risk
>
> Yeah, this "solution" is definitely a security risk.
>
> I just did some testing, and I'm able to open *any* file in
> /home/myname/sources/phpmyadmin.
>
> For example, if I point the browser at:
>
> http://mydom.myhost.com/phpmyadmin/index.php
>
> then Firefox offers to download the index.php file.
>
> If I point the browser at:
>
> http://mydom.myhost.com/phpmyadmin/README
>
> then it displays the README file in the browser, etc.
>
> So this is not good.
>
> How do I set up my directories and my nginx.conf file so that people
> can
> browse to a site like:
>
> http://mydom.myhost.com/mysub-url
>
> without exposing all the files in the directory $root/mysub-url?
>
> Thanks.
>
> --
> Posted via http://www.ruby-forum.com/.
More information about the nginx
mailing list