Possible widespread PHP configuration issue - security risk

[Ed W]

  On 27/08/2010 18:05, Cliff Wells wrote:
> Nevertheless, I've updated the MediaWiki entry.

I'm still having problems getting to the wiki - no .js files are loading 
which is causing some wierd stuff to happen.

However, my opinion is that just adding try_files is only a partial 
fix.  If some way is found to upload .php files (bad wikipedia config) 
or some other exploit is found that can bypass the try_files then we 
still have an issue.

My mediawiki config does this:

                 location ~ .*.php$ {
                         include /etc/nginx/fastcgi_params;
                         if ( $uri !~ "^/images/") {
                                 fastcgi_pass    localhost:9000;
                         }
                 }

Others have already pointed out that we can do better than my IF.  
However, your try_files, plus the explicit exclusion of the /images/ dir 
go a long way to secure mediawiki.  Also I think the specific exclusion 
of the /images/ dir becomes quite self-documenting, whereas the 
try_files is quite a subtle fix?

Cheers

Ed W