Some security vulnerable
Thomas Love
tomlove at gmail.com
Sun Jun 5 17:40:24 MSD 2011
On 5 June 2011 12:01, Kraiser <nginx-forum at nginx.us> wrote:
> What do you guys think about implement this into nginx just like it is
> in apache?
> if ( $fastcgi_script_name ~ \..*\/.*php ) {
> return 403;
> }
> because without that some servers which allows to upload images are
> vulnerable to external exploits.
>
They're vulnerable because of bad site design and configuration
(although I do think nginx's location parsing logic makes it
uncomfortably easy to produce insecure configurations). Why not
eliminate the vulnerability instead of hardening against it with more
configuration? The .php match should not be attempted in any untrusted
user-upload directory -- use sub-locations.
Thomas
More information about the nginx
mailing list