Did nginx fixed the php/pathinfo exploit in the core?
howard chen
howachen at gmail.com
Sat Dec 15 07:00:53 UTC 2012
Now tried to test for the exploit (
http://forum.nginx.org/read.php?2,88845,88996) , nginx return 403 directly
without hitting my backend php
===============
curl -s -D - 'http://www.example.com/test.jpg/f.php'
HTTP/1.1 403 Forbidden
Server: nginx
Date: Fri, 14 Dec 2012 17:40:03 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Access denied.
===============
Which version it was fixed?
Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20121215/86eaba89/attachment.html>
More information about the nginx
mailing list