PH Fast-CGI security pitfall

Roman Vasilyev roman.vasilyev at yousendit.com
Tue Nov 22 20:06:36 UTC 2011


According previous article 
http://wiki.nginx.org/Pitfalls#Front_Controller_Pattern_based_packages

in your template better to write:

location ~ \.php$ {
     try_files $uri =404;

     fastcgi_pass 127.0.0.1:8000;
     fastcgi_param SCRIPT_FILENAME $request_filename;
     ...
}



On 11/22/2011 11:58 AM, Maxim Khitrov wrote:
> On Tue, Nov 22, 2011 at 2:32 PM, B.R.<reallfqq-nginx at yahoo.fr>  wrote:
>    
>> Hello,
>>
>> I juste read this article which highlight a common security pitfall to serve
>> PHP files.
>> I don't see any similar advice in your PHP on Fast-CGI tutorial nor your
>> pitfalls page.
>>
>> On the last page, you tell about the problem in the Pass Non-PHP Requests to
>> PHP section, you seem to point in the right direction in the Proxy
>> everything section, but not for the right reasons.
>> You tell people to use an 'if' to check for file existence, but the use of
>> 'try' is much better, a you know it since you redirect to the IfIsEvil page.
>>
>> The article I gave you reference to offers 5 different wys to secure the
>> server. The 'try_files $uri =404;' seems to be a nice way of preventing
>> non-PHP script from being executed, isn't it?
>>      
> I generally use the following template for serving PHP via FastCGI:
>
> location ~ \.php$ {
>      if (!-f $request_filename) { return 404; }
>
>      fastcgi_pass 127.0.0.1:8000;
>      fastcgi_param SCRIPT_FILENAME $request_filename;
>      ...
> }
>
> The 'if' statement causes 404 to be returned unless the requested file
> actually exists. Making sure that people can't upload files ending in
> '.php' is a separate mater, but I believe that this configuration
> takes care of the security issue described in your first link.
>
> For the given example, nginx detects that
> http://www.bambookites.com/uploads/random.gif/somefilename.php doesn't
> refer to an actual php file, so nothing is passed to the interpreter.
>
> - Max
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>    



More information about the nginx mailing list