nginx 0day exploit for nginx + fastcgi PHP

Igor Sysoev igor at sysoev.ru
Fri May 21 21:39:46 MSD 2010


On Fri, May 21, 2010 at 09:33:02PM +0400, Igor Sysoev wrote:

> On Fri, May 21, 2010 at 10:07:00AM -0700, Avleen Vig wrote:
> 
> > This is currently doing the rounds, so I thought it pertinent to post
> > it here too.
> > 
> > http://www.webhostingtalk.com/showthread.php?p=6807475#post6807475
> > 
> > I don't know what nginx should do to fix this, but there are two
> > workarounds given.
> > If you allow file uploads (especially things like images) and use PHP
> > FastCGI in the back end, you should take a loot at this now.
> > The exploit allows for any arbitrary file which is uploaded, to be
> > executed as PHP.
> 
> I do not see why this is treated as nginx bug ?
> Why is anyone able at all to upload images to /scripts directory ?
> Why does PHP have cgi.fix_pathinfo option ?
> BTW, I'm just curious how does lighttpd resolve this issue ?
> 
> Also instead of
> 
> if ( $fastcgi_script_name ~ \..*\/.*php ) {
>     return 403;
> }
> 
> it should be worked around as
> 
> location ~ \..*/.*\.php$ {
>     return 403;
> }
> 
> location ~ \.php$ {
>     return 403;

-     return 403;
+     fastcgi_pass  ...

> }


-- 
Igor Sysoev
http://sysoev.ru/en/



More information about the nginx mailing list