Possible widespread PHP configuration issue - security risk

Michael Shadle mike503 at gmail.com
Fri Aug 27 22:15:45 MSD 2010

On Fri, Aug 27, 2010 at 11:13 AM, Cliff Wells <cliff at develix.com> wrote:

> It is subtle, but all fixes are, because the underlying vulnerability is
> quite subtle.  What user isn't going to look at that and say to
> themselves "why do I need this if statement?".   Just use the try_files
> and add a comment to its purpose.

The caveat with try_files is it means nginx has filesystem access to
check the existence of the file and an additional stat call (or more)
- it can be in the open file cache, modern systems it's not a huge
deal, etc, etc.

But it won't help if you're fastcgi_pass to a remote server that nginx
does not have the same path to the file (or have access to the php
file) at all.

More information about the nginx mailing list