Nginx+Php-fpm Dangerous Bug

Oleksandr V. Typlyns'kyi wangsamp at gmail.com
Sat Dec 3 09:12:33 UTC 2011 

Today Dec 3, 2011 at 03:26 escavern wrote:

> This is very dangerous Remote File Inclusion Bug in Nginx+php-fpm
> The Nginx+php-fpm shows dangerous bug because its allowed the PhpShell
> hidden in Image to Running,
> 
> if you have php script like this:
> ------------------------------------------------------------------------------------------------------------
> <?php
> 
>     $rfi = $_GET['call'];
>     include($rfi);
> ?>
> ---------------------------------------------------------------------------------------------------------

  Include() for files from GET? Do you really think it is good php code?
  http://php.net/manual/en/function.include.php

> and the Php-shell formed in image(jpg/gif) can be executed to running
> with command like this
> http://www.your-domain.com/script.php?call=phpshell.jpg

  It do exactly what you want(write) - "includes and evaluates" that file.
  Use fopen()+fread(), file_get_contents() or readfile() and sanitize input from GET.

> but it doesnt affect when i tried on Apache

  Most likely mod_php and php-fpm use different php.ini or even DOCUMENT_ROOT.

  http://www.ceriwis.org/rfi.php?hal=info.php - display_errors=on:
  Warning: include(info.php) [function.include]: failed to open stream: No such file or directory in /home/ceriorg/public_html/rfi.php on line 4
  Warning: include(info.php) [function.include]: failed to open stream: No such file or directory in /home/ceriorg/public_html/rfi.php on line 4
  Warning: include() [function.include]: Failed opening 'info.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/ceriorg/public_html/rfi.php on line 4

  http://ceri.ws/rfi.php?hal=info.php - display_errors=off and silence.

> someone told me i should use: 
> 1.try_files $uri =404;  or this: 
> 2.if (!-f $request_filename) { return 404; } or this
> 3.cgi.fix_pathinfo=0
> 4.http://cnedelcu.blogspot.com/2010/05/nginx-php-via-fastcgi-important.html
> 5.Igor sysoev tips :
> http://forum.nginx.org/read.php?2,88845,88858#msg-88858
> but all of them won't work, i still can access
> http://www.ceriwis.org/rfi.php?hal=ass.jpg  and the phpshell still
> appear.

  0. Fix php code.

-- 
WNGS-RIPE

More information about the nginx mailing list