Possible widespread PHP configuration issue - security risk

brianmercer nginx-forum at nginx.us
Fri Aug 27 20:22:26 MSD 2010


Ed W Wrote:
-------------------------------------------------------
> Look, not had a lot of success raising this
> quietly.  The Nginx wiki 
> has a number of very insecure PHP configuration
> suggestions.  Anyone 
> using these example configurations should
> immediately review their 
> configuration and ensure that they aren't
> vulnerable to an upload attack 
> where uploaded files might be accidentally treated
> as executable files 
> by nginx
> 

More discussion and proposed fixes here:
http://forum.nginx.org/read.php?2,88845,88996

In addition to:

1. disabling .php execution in upload directories;
2. adding a try_files to your .php location to check that the requested
.php file exists;
you can also change this setting in php.ini

cgi.fix_pathinfo=1

to 

cgi.fix_pathinfo=0

to disable that feature and then use 

  location ~ ^(.+\.php)(.*)$ {
    try_files $uri =404;
    include /etc/nginx/fastcgi_params;
    fastcgi_index index.php;
    fastcgi_split_path_info ^(.+\.php)(.*)$;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param PATH_INFO $fastcgi_path_info;
    fastcgi_pass http://localhost:9000;
}

if you have software that needs the path_info feature.  The only thing I
use that does is chive.

Thanks in advance for updating the wiki

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,124297,124321#msg-124321




More information about the nginx mailing list