Possible widespread PHP configuration issue - security risk

Ed W lists at wildgooses.com
Fri Aug 27 20:42:38 MSD 2010


> More discussion and proposed fixes here:
> http://forum.nginx.org/read.php?2,88845,88996

Thanks for the link.

However, I have to say with my "typical user" hat on: I started reading 
the thread, got about halfway through, skipped to the end to find some 
kind of executive summary and then came away deciding that it looked too 

Look, there are some smart cookies here and I'm sure most of the people 
on this list have their server's setup securely.  However, there are a 
massive 99% of other people who just want to cut and paste a config and 
it's my opinion that the default configs they are likely using have big 
holes in them

This isn't new stuff.  EVERY web app needs to secure the uploads 
directory.  The point is more that the main config examples are for 
Apache and less skilled nginx users will easily miss these subtleties.

I last posted about this 23/2/2009.  Didn't raise the slightest interest 
then either.

> In addition to:
> 1. disabling .php execution in upload directories;

Yes, but this isn't that obvious how to do?

> 2. adding a try_files to your .php location to check that the requested
> .php file exists;

I agree.  However, we still don't have a cut'n'paste solution for the 
average user?

> if you have software that needs the path_info feature.  The only thing I
> use that does is chive.

Actually I think we might be overthinking the problem here.  I don't 
think it's the path_info which is the problem - the post you mentioned 
was really just a special case of getting the interpreter to run 
something in the uploads dir.  I think the big final config change is to 
give a more generic way to avoid running files in the upload dir *at 
all*.  All the other stuff such as try_files, etc is really icing after 

Look, heres my best attempt.  I think it's poor hence I hope someone has 
a better suggestion:

Single script, enable only that single script:

                 location ~ /blah/script\.php$ {
                         include /etc/nginx/fastcgi_params;
                         fastcgi_pass    localhost:9000;

Exclude single dir, everything else executable:

                 location ~ .*.php$ {
                         include /etc/nginx/fastcgi_params;
                         if ( $uri !~ "^/images/") {
                             fastcgi_pass    localhost:9000;

> Thanks in advance for updating the wiki

I don't know what the definitive solution should be yet?  All I see are 
a very confused bunch of posts showing how if you are an nginx guru it 
won't happen to you..?  Lets get a core solution shall we and then we 
can work from there?

Ed W

More information about the nginx mailing list