Possible widespread PHP configuration issue - security risk

ubitux ubitux at gmail.com
Fri Aug 27 21:52:33 MSD 2010


On Fri, Aug 27, 2010 at 06:48:12PM +0100, Ed W wrote:
>  On 27/08/2010 18:05, Cliff Wells wrote:
> >Nevertheless, I've updated the MediaWiki entry.
> 
> I'm still having problems getting to the wiki - no .js files are
> loading which is causing some wierd stuff to happen.
> 
> However, my opinion is that just adding try_files is only a partial
> fix.  If some way is found to upload .php files (bad wikipedia
> config) or some other exploit is found that can bypass the try_files
> then we still have an issue.
> 
> My mediawiki config does this:
> 
>                 location ~ .*.php$ {
>                         include /etc/nginx/fastcgi_params;
>                         if ( $uri !~ "^/images/") {
>                                 fastcgi_pass    localhost:9000;
>                         }
>                 }
> 
> Others have already pointed out that we can do better than my IF.
> However, your try_files, plus the explicit exclusion of the /images/
> dir go a long way to secure mediawiki.  Also I think the specific
> exclusion of the /images/ dir becomes quite self-documenting,
> whereas the try_files is quite a subtle fix?
> 

Why don't you just check if the file exists?

I use something like that:

location ~ \.php$ {
        if (!-f $request_filename) {
                return 404;
        }
        fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
        fastcgi_param SCRIPT_FILENAME $vpath/$fastcgi_script_name;
        include fastcgi_params;
}

And it seems to fix the nginx issue.

> Cheers
> 
> Ed W
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://nginx.org/mailman/listinfo/nginx

-- 
ubitux



More information about the nginx mailing list