Help! Nginx Vulnerable Remote file inclusion

Tim Mensch tim-nginx at
Sat Dec 3 05:11:35 UTC 2011

Check out this thread and see if it answers your question:

It's not precisely the same, since you have rfi.php?hal=ass.jpg and not 
rfi.php/ass.jpg, but it feels like the same bug, and you're only a 
rewrite rule away from having exactly the problem command line.

The short answer is to add this:

     try_files $uri =404;

or this:

    if (!-f $request_filename) { return 404; }

to your PHP configuration in the PHP fastcgi configuration block.


On 12/2/2011 9:49 PM, escavern wrote:
> the image file is JPEG
> you can see the image file here:
> Posted at Nginx Forum:,219523,219524#msg-219524
> _______________________________________________
> nginx mailing list
> nginx at

More information about the nginx mailing list