Help! Nginx Vulnerable Remote file inclusion
Tim Mensch
tim-nginx at bitgems.com
Sat Dec 3 05:11:35 UTC 2011
Check out this thread and see if it answers your question:
http://mailman.nginx.org/pipermail/nginx/2011-November/030503.html
It's not precisely the same, since you have rfi.php?hal=ass.jpg and not
rfi.php/ass.jpg, but it feels like the same bug, and you're only a
rewrite rule away from having exactly the problem command line.
The short answer is to add this:
try_files $uri =404;
or this:
if (!-f $request_filename) { return 404; }
to your PHP configuration in the PHP fastcgi configuration block.
Tim
On 12/2/2011 9:49 PM, escavern wrote:
> the image file is JPEG
> you can see the image file here:
>
>
> http://www.ceriwis.org/ass.jpg
>
> http://ceri.ws/ass.jpg
>
> Posted at Nginx Forum: http://forum.nginx.org/read.php?2,219523,219524#msg-219524
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
More information about the nginx
mailing list