Equivalent of Apache's SetEnv Variable
Ed W
lists at wildgooses.com
Thu Aug 5 01:44:51 MSD 2010
On 04/08/2010 01:21, Michael Shadle wrote:
>
> What I've realized over the couple years I've been using nginx is that
> most people overengineer their configuration. I hardly ever need more
> than a few lines of special sauce for anything I've ran in nginx. Of
> course, I'm a minimalist.
>
However, all the default configs that I have seen for PHP setups on the
wiki, etc, seem insecure to my mind. They nearly all point *all* files
named xx.php to be processed by the your php interpreter. Coupled with
nearly all non trivial applications having some "upload" feature this
allows a gaping potential issue to upload arbitrary files named xx.php
and you are allowing arbitrary code to be uploaded...
I setup my machines to only point files in limited directories to be
processed by the php interpreter. Coupled with specific handling of any
upload/temp/template/public directories or anywhere else that might
accidently contain something it shouldn't..
See, just checked the wiki. Surely this example allows you to
immediately upload a new file with a .php suffix and exploit the server?
http://wiki.nginx.org/NginxMediaWiki
Does Drupal allow uploads? If so then good luck...
http://drupal.org/node/110224
Surely Dokuwiki allows uploads?
http://wiki.nginx.org/Dokuwiki
Make your config secure! Don't just trust the upload function parsing
and allowing only certain filename patterns!
Good luck
Ed W
More information about the nginx
mailing list