fastcgi problem

Cliff Wells cliff at develix.com
Mon Feb 23 16:00:01 MSK 2009


On Mon, 2009-02-23 at 10:38 +0000, Ed W wrote:
> Paul van der Linden wrote:
> >>>         location / {
> >>>            fastcgi_pass   localhost:8888;
> >>>            fastcgi_index  moin.fcg;
> >>>       
> 
> 
> Remember also that this will cause any .php (or whatever cgi) files
> anywhere on the filesystem to be executed.

Untrue (in this case), since Moin isn't a PHP application and Nginx
doesn't execute CGI scripts.   The only potential attack vector would be
to somehow upload a Python script and convince Moin to import it (quite
a bit trickier).

>   It seems to be a pretty
> common error for nginx PHP setups to use something like the above AND
> also allow arbitrary named file uploads.  If the user of the php
> application can cause some file to be uploaded with a .php extension
> then point to it's disk path then the file will be executed.

In the case of PHP, your above statements are true.   OTOH, the
situation becomes similar to that of Apache, so I'd think that this
isn't an Nginx-specific issue, but rather application-specific.

Regards,
Cliff






More information about the nginx mailing list