Possible widespread PHP configuration issue - security risk
brianmercer
nginx-forum at nginx.us
Fri Aug 27 20:22:26 MSD 2010
Ed W Wrote:
-------------------------------------------------------
> Look, not had a lot of success raising this
> quietly. The Nginx wiki
> has a number of very insecure PHP configuration
> suggestions. Anyone
> using these example configurations should
> immediately review their
> configuration and ensure that they aren't
> vulnerable to an upload attack
> where uploaded files might be accidentally treated
> as executable files
> by nginx
>
More discussion and proposed fixes here:
http://forum.nginx.org/read.php?2,88845,88996
In addition to:
1. disabling .php execution in upload directories;
2. adding a try_files to your .php location to check that the requested
.php file exists;
you can also change this setting in php.ini
cgi.fix_pathinfo=1
to
cgi.fix_pathinfo=0
to disable that feature and then use
location ~ ^(.+\.php)(.*)$ {
try_files $uri =404;
include /etc/nginx/fastcgi_params;
fastcgi_index index.php;
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass http://localhost:9000;
}
if you have software that needs the path_info feature. The only thing I
use that does is chive.
Thanks in advance for updating the wiki
Posted at Nginx Forum: http://forum.nginx.org/read.php?2,124297,124321#msg-124321
More information about the nginx
mailing list