Vulnerability in "Proxy Everything" (Wiki article Pitfalls)

António P. P. Almeida appa at perusio.net
Tue Mar 8 22:09:47 MSK 2011 

On 8 Mar 2011 14h33 WET, nginx-forum at nginx.us wrote:

> Hi,
>
> I discovered a vulnerability in your best practice wiki article:
> http://wiki.nginx.org/Pitfalls#Proxy_Everything
>
> The configuration which is promoted as "good" doesn't work as
> intended:
>
> <<<>>>
> server {
> server_name _;
> root /var/www/site;
> location / {
> try_files $uri $uri/ @proxy;
> }
> location @proxy {
> include fastcgi_params;
> fastcgi_param SCRIPT_FILENAME
> $document_root$fastcgi_script_name;
> fastcgi_pass unix:/tmp/phpcgi.socket;
> }
> }
> <<<>>>
>
> try_files checks if a file exists and if it does, it is simply
> returned to the browser. This is a good thing for static files, but
> with this configuration PHP files are not parsed.
>
> <<<>>>
> $ curl -i http://foo.lan/info.php
> HTTP/1.1 200 OK
> Server: nginx/0.8.54
> Date: Tue, 08 Mar 2011 14:08:07 GMT
> Content-Type: application/octet-stream
> Content-Length: 20
> Last-Modified: Tue, 08 Mar 2011 13:05:32 GMT
> Connection: keep-alive
> Accept-Ranges: bytes
>
> <?php phpinfo(); ?>
> <<<>>>
>
> The configuration works, i.e. the PHP files are parsed, only in one
> case: If nginx believes the files does not exist (although it does)
> and handles the request to the FastCGI instance.
>
> <<<>>>
> C:\Users\Lukas>curl -i http://foo.lan/info.php/asdf
> HTTP/1.1 200 OK
> Server: nginx/0.8.54
> Date: Tue, 08 Mar 2011 14:21:17 GMT
> Content-Type: text/html
> Transfer-Encoding: chunked
> Connection: keep-alive
> X-Powered-By: PHP/5.3.5-1 <-------- This file was parsed by PHP as
> intended.
>
> [...]
> <<<>>>

That's a generic example. The pitfalls page is meant to warn you
against some inadvisable practices. It's not meant to be a config
recipe. You should always adapt your config to your application.

As a rule all PHP (or whatever language file) scripts should be
enumerated in the config, if possible with exact matchings, or if
using PATHINFO with the correct pattern.

Otherwise you're setting yourself up for getting p0wned.

--- appa

More information about the nginx mailing list