nginx 0day exploit for nginx + fastcgi PHP

Michael Shadle mike503 at gmail.com
Thu Jan 27 09:04:19 MSK 2011


On Wed, Jan 26, 2011 at 9:23 PM, Edho P Arief <edhoprima at gmail.com> wrote:

> I believe one of the solution is adding
>
> try_files $uri =403;

It adds another stat call or two but I believe it's acceptable (and
the stat calls are cached using open_file_cache

> And the other is to not use php at all :)

Blasphemy!

You can also use something Igor had mentioned using named captures:

location ~ ^(?<script>.+\.php)(?<path_info>.*)$ {
... other fastcgi params ...
        fastcgi_param SCRIPT_FILENAME  $document_root$script;
}



More information about the nginx mailing list