Nginx+Php-fpm Dangerous Bug
escavern
nginx-forum at nginx.us
Sat Dec 3 08:26:31 UTC 2011
This is very dangerous Remote File Inclusion Bug in Nginx+php-fpm
The Nginx+php-fpm shows dangerous bug because its allowed the PhpShell
hidden in Image to Running,
if you have php script like this:
------------------------------------------------------------------------------------------------------------
<?php
$rfi = $_GET['call'];
include($rfi);
?>
---------------------------------------------------------------------------------------------------------
and the Php-shell formed in image(jpg/gif) can be executed to running
with command like this
http://www.your-domain.com/script.php?call=phpshell.jpg
but it doesnt affect when i tried on Apache
as an example you can see here:
http://www.ceriwis.org/rfi.php?hal=ass.jpg <------------ using NGINX and
phpshell executed
and
http://ceri.ws/rfi.php?hal=ass.jpg <---------------- using Apace and
phpshell unable to executed
someone told me i should use:
1.try_files $uri =404; or this:
2.if (!-f $request_filename) { return 404; } or this
3.cgi.fix_pathinfo=0
4.http://cnedelcu.blogspot.com/2010/05/nginx-php-via-fastcgi-important.html
5.Igor sysoev tips :
http://forum.nginx.org/read.php?2,88845,88858#msg-88858
but all of them won't work, i still can access
http://www.ceriwis.org/rfi.php?hal=ass.jpg and the phpshell still
appear.
im using Nginx 0.8.53 and php-fpm i got my website hacked 3 times by
this bug
i hope someone knows what to do with this situation because i think this
is serious bug and there will be many victims if this thing not solved.
thanks
Please give me solution. thanks
Posted at Nginx Forum: http://forum.nginx.org/read.php?2,219532,219532#msg-219532
More information about the nginx
mailing list