Security Risk

Rob Schultz rschultz7 at gmail.com
Sat Feb 14 04:56:14 MSK 2009


Yea but using that would kill all css, js, image files in that folder.

And it doesn't sound like you have php setup at all to be served on  
that location. If you have php location block and a phpmyadmin  
location block then you need to copy your php fastcgi/proxy pass  
directives into your phpmyadmin section also. Since only 1 location  
will be matched.

On Feb 13, 2009, at 7:38 PM, Jim Ohlstein wrote:

> How are you handling php files in your config file? They shouldn't  
> be served as text. Are you using php-fcgi?
>
> Once you have that sorted out, you can use a rewrite something like:
>
> location /path/to/phymyadmin/	{
> 	if ( $uri !~ .*\.php$" )  {
> 		rewrite  ^/(.*)$ /index.php  last;
> 	}
> }
>
> I think that should work to rewrite every non-php request to the  
> index page.
>
> Alternatively you can delete the readme file and other similar non- 
> essential files.
>
>
>> -----Original Message-----
>> From: owner-nginx at sysoev.ru [mailto:owner-nginx at sysoev.ru] On  
>> Behalf Of
>> Stefan Scott
>> Sent: Friday, February 13, 2009 7:56 PM
>> To: nginx at sysoev.ru
>> Subject: Security Risk
>>
>> Yeah, this "solution" is definitely a security risk.
>>
>> I just did some testing, and I'm able to open *any* file in
>> /home/myname/sources/phpmyadmin.
>>
>> For example, if I point the browser at:
>>
>>  http://mydom.myhost.com/phpmyadmin/index.php
>>
>> then Firefox offers to download the index.php file.
>>
>> If I point the browser at:
>>
>>  http://mydom.myhost.com/phpmyadmin/README
>>
>> then it displays the README file in the browser, etc.
>>
>> So this is not good.
>>
>> How do I set up my directories and my nginx.conf file so that people
>> can
>> browse to a site like:
>>
>>  http://mydom.myhost.com/mysub-url
>>
>> without exposing all the files in the directory $root/mysub-url?
>>
>> Thanks.
>>
>> --
>> Posted via http://www.ruby-forum.com/.
>
>






More information about the nginx mailing list