Possible widespread PHP configuration issue - security risk

brianmercer nginx-forum at nginx.us
Fri Aug 27 21:17:55 MSD 2010


Ed W Wrote:
-------------------------------------------------------
> This isn't new stuff.  EVERY web app needs to
> secure the uploads 
> directory.  The point is more that the main config
> examples are for 
> Apache and less skilled nginx users will easily
> miss these subtleties.
> 

As you say, your web app should have a plan for mitigating the dangers
of user uploads.  Drupal puts an .htaccess file in the upload directory
which changes the apache file handler.  Of course, that does nothing
with nginx and so you want something like 

location ~ .*/files/.* {
  try_files $uri =404 # or index.php?q=$uri or @drupal depending on your
config
}

located before your location ~ .php so you get a match on the files
directory and you don't execute malicious .php.  Or something more
restrictive when it comes to .php files like specifying the permitted
executable files explicitly. see
http://test.brianmercer.com/content/nginx-configuration-drupal

> I don't think it's the path_info which is the problem -

Your situation number 2 is about path info which is enabled in PHP by
default so that requests like

http://mysite.com/chive/index.php/site/login

will work.  Most web apps don't need the cgi.fix_pathinfo feature turned
on.  Drupal, Wordpress use queries.  i.e.
http://mysite.com/wordpress/index.php?q=/site/login

Some things like chive need the path info feature, and so the PHP devs
ship PHP with cgi.fix_pathinfo turned on by default, which leads to the
vulnerability with common nginx configurations.  Luckily, nginx has
support for pathinfo without enabling cgi.fix_pathinfo in php.  I noted
the config above.

The only solution is to alert people to these complexities, and to
update the sample configs on the wiki.  Unfortunately, there's about a
thousand sample configs on the web which don't account for this issue. 
A page on the wiki specifically addressing upload directories and
cgi.fix_pathinfo would also be a good idea.

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,124297,124340#msg-124340




More information about the nginx mailing list