Did nginx fixed the php/pathinfo exploit in the core?

howard chen howachen at gmail.com
Sat Dec 15 07:00:53 UTC 2012

Now tried to test for the exploit (
http://forum.nginx.org/read.php?2,88845,88996) , nginx return 403 directly
without hitting my backend php


curl  -s -D - 'http://www.example.com/test.jpg/f.php'

HTTP/1.1 403 Forbidden

Server: nginx

Date: Fri, 14 Dec 2012 17:40:03 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Access denied.


Which version it was fixed?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20121215/86eaba89/attachment.html>

More information about the nginx mailing list