Nginx+Php-fpm Dangerous Bug

António P. P. Almeida appa at
Sat Dec 3 08:44:38 UTC 2011

On 3 Dez 2011 08h26 WET, nginx-forum at wrote:

> This is very dangerous Remote File Inclusion Bug in Nginx+php-fpm
> The Nginx+php-fpm shows dangerous bug because its allowed the
> PhpShell hidden in Image to Running,
> if you have php script like this:
> ------------------------------------------------------------------------------------------------------------
> <?php
> $rfi = $_GET['call'];
> include($rfi);
> ?>
> ---------------------------------------------------------------------------------------------------------
> and the Php-shell formed in image(jpg/gif) can be executed to
> running with command like this
> but it
> doesnt affect when i tried on Apache
> as an example you can see here:
> <------------ using NGINX
> and phpshell executed
> and
> <---------------- using Apace and
> phpshell unable to executed
> someone told me i should use: 1.try_files $uri =404; or this: 2.if
> (!-f $request_filename) { return 404; } or this 3.cgi.fix_pathinfo=0
> 4.
> 5.Igor sysoev tips :
>,88845,88858#msg-88858 but all of
> them won't work, i still can access
> and the phpshell still
> appear.

The try_files $uri =404 is not very smart since it involves making a
spurious stat() call AFAIK.

Instead you should enumerate all your php files with exact '='
locations and place something
like this at the end of your config.

location ~* \.php {
    return 404;       

Or if relying on PATH_INFO you should do something like this:

        ## Regular PHP processing.
        location ~ ^(?<script>.+\.php)(?<path_info>.*)$ {
            include fastcgi.conf;
            ## The fastcgi_params must be redefined from the ones
            ## given in fastcgi.conf. No longer standard names
            ## but arbitrary: named patterns in regex.
            fastcgi_param SCRIPT_FILENAME $document_root$script;
            fastcgi_param SCRIPT_NAME $script;
            fastcgi_param PATH_INFO $path_info;
            ## Passing the request upstream to the FastCGI
            ## listener.
            fastcgi_pass phpcgi;

Also your script is broken since you grab the value from the URI
without doing any filtering. So you're setting yourself up for being
exploited. Even with a safe configuration.

Put also:

allow_url_fopen = Off
allow_url_fopen = Off

in your php.ini


> Please give me solution. thanks

Write code that sanitizes the input appropriately. Of course using
also a safe configuration.

--- appa

More information about the nginx mailing list