Nginx+Php-fpm Dangerous Bug
António P. P. Almeida
appa at perusio.net
Sat Dec 3 08:44:38 UTC 2011
On 3 Dez 2011 08h26 WET, nginx-forum at nginx.us wrote:
> This is very dangerous Remote File Inclusion Bug in Nginx+php-fpm
> The Nginx+php-fpm shows dangerous bug because its allowed the
> PhpShell hidden in Image to Running,
>
> if you have php script like this:
> ------------------------------------------------------------------------------------------------------------
> <?php
>
> $rfi = $_GET['call'];
> include($rfi);
> ?>
> ---------------------------------------------------------------------------------------------------------
>
> and the Php-shell formed in image(jpg/gif) can be executed to
> running with command like this
> http://www.your-domain.com/script.php?call=phpshell.jpg but it
> doesnt affect when i tried on Apache
>
> as an example you can see here:
>
> http://www.ceriwis.org/rfi.php?hal=ass.jpg <------------ using NGINX
> and phpshell executed
>
> and
>
> http://ceri.ws/rfi.php?hal=ass.jpg <---------------- using Apace and
> phpshell unable to executed
>
> someone told me i should use: 1.try_files $uri =404; or this: 2.if
> (!-f $request_filename) { return 404; } or this 3.cgi.fix_pathinfo=0
> 4.http://cnedelcu.blogspot.com/2010/05/nginx-php-via-fastcgi-important.html
> 5.Igor sysoev tips :
> http://forum.nginx.org/read.php?2,88845,88858#msg-88858 but all of
> them won't work, i still can access
> http://www.ceriwis.org/rfi.php?hal=ass.jpg and the phpshell still
> appear.
The try_files $uri =404 is not very smart since it involves making a
spurious stat() call AFAIK.
Instead you should enumerate all your php files with exact '='
locations and place something
like this at the end of your config.
location ~* \.php {
return 404;
}
Or if relying on PATH_INFO you should do something like this:
## Regular PHP processing.
location ~ ^(?<script>.+\.php)(?<path_info>.*)$ {
include fastcgi.conf;
## The fastcgi_params must be redefined from the ones
## given in fastcgi.conf. No longer standard names
## but arbitrary: named patterns in regex.
fastcgi_param SCRIPT_FILENAME $document_root$script;
fastcgi_param SCRIPT_NAME $script;
fastcgi_param PATH_INFO $path_info;
## Passing the request upstream to the FastCGI
## listener.
fastcgi_pass phpcgi;
}
Also your script is broken since you grab the value from the URI
without doing any filtering. So you're setting yourself up for being
exploited. Even with a safe configuration.
Put also:
allow_url_fopen = Off
allow_url_fopen = Off
in your php.ini
See: http://www.php.net/manual/en/function.filter-var.php
> Please give me solution. thanks
Write code that sanitizes the input appropriately. Of course using
also a safe configuration.
--- appa
More information about the nginx
mailing list