Nginx+Php-fpm Dangerous Bug

António P. P. Almeida appa at perusio.net
Sat Dec 3 08:44:38 UTC 2011 

On 3 Dez 2011 08h26 WET, nginx-forum at nginx.us wrote:

> This is very dangerous Remote File Inclusion Bug in Nginx+php-fpm
> The Nginx+php-fpm shows dangerous bug because its allowed the
> PhpShell hidden in Image to Running,
>
> if you have php script like this:
> ------------------------------------------------------------------------------------------------------------
> <?php
>
> $rfi = $_GET['call'];
> include($rfi);
> ?>
> ---------------------------------------------------------------------------------------------------------
>
> and the Php-shell formed in image(jpg/gif) can be executed to
> running with command like this
> http://www.your-domain.com/script.php?call=phpshell.jpg but it
> doesnt affect when i tried on Apache
>
> as an example you can see here:
>
> http://www.ceriwis.org/rfi.php?hal=ass.jpg <------------ using NGINX
> and phpshell executed
>
> and
>
> http://ceri.ws/rfi.php?hal=ass.jpg <---------------- using Apace and
> phpshell unable to executed
>
> someone told me i should use: 1.try_files $uri =404; or this: 2.if
> (!-f $request_filename) { return 404; } or this 3.cgi.fix_pathinfo=0
> 4.http://cnedelcu.blogspot.com/2010/05/nginx-php-via-fastcgi-important.html
> 5.Igor sysoev tips :
> http://forum.nginx.org/read.php?2,88845,88858#msg-88858 but all of
> them won't work, i still can access
> http://www.ceriwis.org/rfi.php?hal=ass.jpg and the phpshell still
> appear.

The try_files $uri =404 is not very smart since it involves making a
spurious stat() call AFAIK.

Instead you should enumerate all your php files with exact '='
locations and place something
like this at the end of your config.

location ~* \.php {
    return 404;       
}

Or if relying on PATH_INFO you should do something like this:

        ## Regular PHP processing.
        location ~ ^(?<script>.+\.php)(?<path_info>.*)$ {
            include fastcgi.conf;
            ## The fastcgi_params must be redefined from the ones
            ## given in fastcgi.conf. No longer standard names
            ## but arbitrary: named patterns in regex.
            fastcgi_param SCRIPT_FILENAME $document_root$script;
            fastcgi_param SCRIPT_NAME $script;
            fastcgi_param PATH_INFO $path_info;
            ## Passing the request upstream to the FastCGI
            ## listener.
            fastcgi_pass phpcgi;
        }

Also your script is broken since you grab the value from the URI
without doing any filtering. So you're setting yourself up for being
exploited. Even with a safe configuration.

Put also:

allow_url_fopen = Off
allow_url_fopen = Off

in your php.ini

See: http://www.php.net/manual/en/function.filter-var.php

> Please give me solution. thanks

Write code that sanitizes the input appropriately. Of course using
also a safe configuration.

--- appa

More information about the nginx mailing list