Vulnerability in "Proxy Everything" (Wiki article Pitfalls)
Cliff Wells
cliff at develix.com
Tue Mar 8 22:25:41 MSK 2011
On Tue, 2011-03-08 at 19:09 +0000, António P.P.Almeida wrote:
> That's a generic example. The pitfalls page is meant to warn you
> against some inadvisable practices. It's not meant to be a config
> recipe. You should always adapt your config to your application.
>
> As a rule all PHP (or whatever language file) scripts should be
> enumerated in the config, if possible with exact matchings, or if
> using PATHINFO with the correct pattern.
>
> Otherwise you're setting yourself up for getting p0wned.
So... maybe this pitfall should also be covered in the pitfalls page and
linked to from that example?
I agree with the OP that this example is bad, and given that people
usually read the minimal amount of documentation required to solve a
task, it's likely people will be caught with this.
Cliff
More information about the nginx
mailing list