Vulnerability in "Proxy Everything" (Wiki article Pitfalls)

Adrian von Stechow adrianvonstechow at gmail.com
Tue Mar 8 22:26:20 MSK 2011


This was a discussion in this ML a few weeks ago labelled "nginx 0day"
or so. There were a few sample configs that don't run into this
problem posted. I check for existence of the php file inside the proxy
location with
try_files $uri =403
for example.
And of course always be sure to have cgi.fix_pathinfo=0 if you don't need it.

bb, proud owner of a hacked pathinfo box.

On 08.03.2011, at 20:15, António P. P. Almeida <appa at perusio.net> wrote:

> On 8 Mar 2011 14h33 WET, nginx-forum at nginx.us wrote:
>
>> Hi,
>>
>> I discovered a vulnerability in your best practice wiki article:
>> http://wiki.nginx.org/Pitfalls#Proxy_Everything
>>
>> The configuration which is promoted as "good" doesn't work as
>> intended:
>>
>> <<<>>>
>> server {
>> server_name _;
>> root /var/www/site;
>> location / {
>> try_files $uri $uri/ @proxy;
>> }
>> location @proxy {
>> include fastcgi_params;
>> fastcgi_param SCRIPT_FILENAME
>> $document_root$fastcgi_script_name;
>> fastcgi_pass unix:/tmp/phpcgi.socket;
>> }
>> }
>> <<<>>>
>>
>> try_files checks if a file exists and if it does, it is simply
>> returned to the browser. This is a good thing for static files, but
>> with this configuration PHP files are not parsed.
>>
>> <<<>>>
>> $ curl -i http://foo.lan/info.php
>> HTTP/1.1 200 OK
>> Server: nginx/0.8.54
>> Date: Tue, 08 Mar 2011 14:08:07 GMT
>> Content-Type: application/octet-stream
>> Content-Length: 20
>> Last-Modified: Tue, 08 Mar 2011 13:05:32 GMT
>> Connection: keep-alive
>> Accept-Ranges: bytes
>>
>> <?php phpinfo(); ?>
>> <<<>>>
>>
>> The configuration works, i.e. the PHP files are parsed, only in one
>> case: If nginx believes the files does not exist (although it does)
>> and handles the request to the FastCGI instance.
>>
>> <<<>>>
>> C:\Users\Lukas>curl -i http://foo.lan/info.php/asdf
>> HTTP/1.1 200 OK
>> Server: nginx/0.8.54
>> Date: Tue, 08 Mar 2011 14:21:17 GMT
>> Content-Type: text/html
>> Transfer-Encoding: chunked
>> Connection: keep-alive
>> X-Powered-By: PHP/5.3.5-1 <-------- This file was parsed by PHP as
>> intended.
>>
>> [...]
>> <<<>>>
>
> That's a generic example. The pitfalls page is meant to warn you
> against some inadvisable practices. It's not meant to be a config
> recipe. You should always adapt your config to your application.
>
> As a rule all PHP (or whatever language file) scripts should be
> enumerated in the config, if possible with exact matchings, or if
> using PATHINFO with the correct pattern.
>
> Otherwise you're setting yourself up for getting p0wned.
>
> --- appa
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://nginx.org/mailman/listinfo/nginx




More information about the nginx mailing list