Nginx+Php-fpm Dangerous Bug
Edho Arief
edho at myconan.net
Sat Dec 3 09:04:52 UTC 2011
On Sat, Dec 3, 2011 at 3:26 PM, escavern <nginx-forum at nginx.us> wrote:
> This is very dangerous Remote File Inclusion Bug in Nginx+php-fpm
> The Nginx+php-fpm shows dangerous bug because its allowed the PhpShell
> hidden in Image to Running,
>
> if you have php script like this:
> ------------------------------------------------------------------------------------------------------------
> <?php
>
> $rfi = $_GET['call'];
> include($rfi);
> ?>
...you must be kidding me. That's like asking why you get sql
injection when you have code like this: mysql_query("select * from
users where username = '$_GET['user']'").
use
echo file_get_contents($rfi);
instead. Note that even with this someone can set parameter to
something like "../index.php" and with sufficient effort might be able
to locate your database etc (or your /etc/passwd). Something like
echo file_get_contents('./uploaddir/'.basename($rfi));
Is much better. Note that I'm not sufficiently knowledgeable in php so
the recommendation above might still be insecure.
Apache has more hand-holding feature which is why it doesn't work.
--
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
More information about the nginx
mailing list