Equivalent of Apache's SetEnv Variable

Ed W lists at wildgooses.com
Thu Aug 5 01:44:51 MSD 2010


  On 04/08/2010 01:21, Michael Shadle wrote:
>
> What I've realized over the couple years I've been using nginx is that
> most people overengineer their configuration. I hardly ever need more
> than a few lines of special sauce for anything I've ran in nginx. Of
> course, I'm a minimalist.
>

However, all the default configs that I have seen for PHP setups on the 
wiki, etc, seem insecure to my mind.  They nearly all point *all* files 
named xx.php to be processed by the your php interpreter.  Coupled with 
nearly all non trivial applications having some "upload" feature this 
allows a gaping potential issue to upload arbitrary files named xx.php 
and you are allowing arbitrary code to be uploaded...

I setup my machines to only point files in limited directories to be 
processed by the php interpreter. Coupled with specific handling of any 
upload/temp/template/public directories or anywhere else that might 
accidently contain something it shouldn't..


See, just checked the wiki.  Surely this example allows you to 
immediately upload a new file with a .php suffix and exploit the server?
     http://wiki.nginx.org/NginxMediaWiki
Does Drupal allow uploads?  If so then good luck...
     http://drupal.org/node/110224
Surely Dokuwiki allows uploads?
     http://wiki.nginx.org/Dokuwiki

Make your config secure!  Don't just trust the upload function parsing 
and allowing only certain filename patterns!

Good luck

Ed W



More information about the nginx mailing list