Possible widespread PHP configuration issue - security risk

Ed W lists at wildgooses.com
Fri Aug 27 20:23:00 MSD 2010


  On 27/08/2010 16:47, zuborg wrote:
> http://myserver/uploads/test.jpg/.php - this attack relyes on some
> php-fcgi feature ?

I *think* it's purely down to use of this configuration stanza:

     location ~ \.php$ {
         fastcgi_pass myphp;
     }

What I try and do as far as possible is use a tighter stanza  so that it 
only applies to certain files or directories or whatever.  I have done 
it on a slightly ad-hoc basis so far and used IF statements if I need to 
exclude stuff and a tigher regexp in other situations

My implicit question was really because I suspect there is perhaps a 
better and more general way to right this generic config assuming:
- large number of arbitrary locations containing PHP files
- some dangerous locations which need to be excluded
- complicated mapping between URIs and file locations

Perhaps someone has a better base config for the above and fastcgi?


Remember the other hint here was that many web apps ship with a bunch of 
.htaccess files for apache.  It feels very likely that many nginx users 
forget to scan for these and translate them into appropriate nginx 
configuration.  How could we better document that this usually shouldn't 
be ignored?

Ed W



More information about the nginx mailing list