Possible widespread PHP configuration issue - security risk

Ed W lists at wildgooses.com
Fri Aug 27 21:28:23 MSD 2010


> The simplest solution to the problem presented would be to change the wiki to encourage users to set their upload directory to a location not served by nginx (and thus not executable by PHP). This is *entirely* a PHP configuration issue.

I *think* I'm right in saying this is going to be more down to 
application support than a PHP issue?  A few applications *do* move 
their upload directory outside of the document path (Gallery 2 comes to 
mind). However, the vast majority don't seem to.  Further I don't see 
how this can be changed in general since it would require the 
application to then proxy all requests for those assets?

Mediawiki for example does it's best to parse uploads and check they are 
safe, but after that it stuff them in the /images/ directory and leaves 
it up to your webserver to serve them (which leaves open the possibility 
that the webserver might inadvertently process them as some kind of cgi 
or SSI or whatever)

> There are still dangers depending on what the application does with the uploaded files, but those exist no matter what. Making the change to the documentation to encourage this best practice should suffice for us.

Actually I believe we can do better...

The documentation bit is to warn users that SSI/CGI/dir listing/etc 
should be disabled on any location that the users can upload  to.  
However, I think we can provide some default nginx config which does 
this efficiently.

I have already proposed by lame attempt at this, but I'm hoping someone 
will show something much neater, possibly involving try_files and a @php 
location?  After that I think we have a great starting point for a 
generic CGI entry and this can migrate to all the other wiki entries 
after that

Please don't forget about SSI and all other server side processing which 
can be abused.  ALL of this stuff should be turned off for untrusted 
content in general.  This isn't a new warning... It's just that most 
config examples aren't showing how to do this for nginx (apache tends to 
be the default)


Ed W

More information about the nginx mailing list