PH Fast-CGI security pitfall

Maxim Khitrov max at mxcrypt.com
Tue Nov 22 19:58:07 UTC 2011


On Tue, Nov 22, 2011 at 2:32 PM, B.R. <reallfqq-nginx at yahoo.fr> wrote:
> Hello,
>
> I juste read this article which highlight a common security pitfall to serve
> PHP files.
> I don't see any similar advice in your PHP on Fast-CGI tutorial nor your
> pitfalls page.
>
> On the last page, you tell about the problem in the Pass Non-PHP Requests to
> PHP section, you seem to point in the right direction in the Proxy
> everything section, but not for the right reasons.
> You tell people to use an 'if' to check for file existence, but the use of
> 'try' is much better, a you know it since you redirect to the IfIsEvil page.
>
> The article I gave you reference to offers 5 different wys to secure the
> server. The 'try_files $uri =404;' seems to be a nice way of preventing
> non-PHP script from being executed, isn't it?

I generally use the following template for serving PHP via FastCGI:

location ~ \.php$ {
    if (!-f $request_filename) { return 404; }

    fastcgi_pass 127.0.0.1:8000;
    fastcgi_param SCRIPT_FILENAME $request_filename;
    ...
}

The 'if' statement causes 404 to be returned unless the requested file
actually exists. Making sure that people can't upload files ending in
'.php' is a separate mater, but I believe that this configuration
takes care of the security issue described in your first link.

For the given example, nginx detects that
http://www.bambookites.com/uploads/random.gif/somefilename.php doesn't
refer to an actual php file, so nothing is passed to the interpreter.

- Max



More information about the nginx mailing list