Possible widespread PHP configuration issue - security risk
Ed W
lists at wildgooses.com
Fri Aug 27 20:23:00 MSD 2010
On 27/08/2010 16:47, zuborg wrote:
> http://myserver/uploads/test.jpg/.php - this attack relyes on some
> php-fcgi feature ?
I *think* it's purely down to use of this configuration stanza:
location ~ \.php$ {
fastcgi_pass myphp;
}
What I try and do as far as possible is use a tighter stanza so that it
only applies to certain files or directories or whatever. I have done
it on a slightly ad-hoc basis so far and used IF statements if I need to
exclude stuff and a tigher regexp in other situations
My implicit question was really because I suspect there is perhaps a
better and more general way to right this generic config assuming:
- large number of arbitrary locations containing PHP files
- some dangerous locations which need to be excluded
- complicated mapping between URIs and file locations
Perhaps someone has a better base config for the above and fastcgi?
Remember the other hint here was that many web apps ship with a bunch of
.htaccess files for apache. It feels very likely that many nginx users
forget to scan for these and translate them into appropriate nginx
configuration. How could we better document that this usually shouldn't
be ignored?
Ed W
More information about the nginx
mailing list