Equivalent of Apache's SetEnv Variable

Cliff Wells cliff at develix.com
Thu Aug 5 06:40:02 MSD 2010

On Wed, 2010-08-04 at 22:44 +0100, Ed W wrote:

> See, just checked the wiki.  Surely this example allows you to 
> immediately upload a new file with a .php suffix and exploit the server?
>      http://wiki.nginx.org/NginxMediaWiki

Mediawiki doesn't allow that.  It filters by an allowed list of
extensions, and .php isn't among them.

Of course, if you can also let Nginx provide another ounce of
prevention, then all the better.  Unfortunately most PHP applications
expect to be able to run arbitrary PHP scripts from almost any directory
under the sun, so you can either account for each and every script
(hopefully they put included files in a separate directory) or simply
make sure that it's not possible to upload files ending with .php.



More information about the nginx mailing list