nginx 0day exploit for nginx + fastcgi PHP
Ian M. Evans
ianevans at digitalhit.com
Fri May 21 23:04:18 MSD 2010
On 5/21/2010 2:36 PM, Igor Sysoev wrote:
> On Fri, May 21, 2010 at 02:26:31PM -0400, Ian Evans wrote:
>
>> Is this situation only pertaining to sites that allow uploads from forms?
>>
>> Going way back to this thread
>> (http://www.ruby-forum.com/topic/145358#645652) in '08, I needed
>> cgi.fix-pathinfo=1 to fix problems with paths and specific extensionless
>> files I needed run as php.
>>
>> Changing cgi.fix-pathinfo=1 to 0 broke a lot of stuff.
>
> Could you show again how URIs should be mapped to SCRIPT_FILENAME
> and PATH_INFO ? Modern nginx versions support named captures in regex.
>
>
This is what you came up with in the thread back in '08:
location ~ ^/(cr|news|poll|posters|photos|profile|review)(/|$) {
root /usr/local/apache/htdocs;
set $script_name $uri;
set $path_info "";
if ($uri ~ ^(/[^/]+)(/.*)) {
set $script_name $1;
set $path_info $2;
fastcgi_pass 127.0.0.1:10004;
}
...
fastcgi_param SCRIPT_FILENAME $document_root$script_name;
fastcgi_param PATH_INFO $path_info;
}
location ~ /(cr|news|poll|posters|photos|profile|review)(/|$) {
root /usr/local/apache/htdocs;
set $script_name $uri;
set $path_info "";
if ($uri ~
^(.*/(?:cr|news|poll|posters|photos|profile|review))(/.*)) {
set $script_name $1;
set $path_info $2;
fastcgi_pass 127.0.0.1:10004;
}
...
fastcgi_param SCRIPT_FILENAME $document_root$script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_pass 127.0.0.1:10004;
}
The two variations were needed to handle when the extensionless php
script file was in the root (example.com/NEWS/2006/1/24) or several
subdirs down (example.com/tiff/2007/1/PHOTOS/16)
More information about the nginx
mailing list