Did nginx fixed the php/pathinfo exploit in the core?
Francis Daly
francis at daoine.org
Sat Dec 15 14:20:19 UTC 2012
On Sat, Dec 15, 2012 at 03:00:53PM +0800, howard chen wrote:
Hi there,
> Now tried to test for the exploit (
> http://forum.nginx.org/read.php?2,88845,88996) , nginx return 403 directly
> without hitting my backend php
> Which version it was fixed?
What's in your nginx.conf?
The one location that matches /test.jpg/f.php, plus the server-level
config if relevant?
I suspect it was fixed in "whichever version you used a suitable
configuration in".
(But maybe I misunderstood the nature of the problem.)
f
--
Francis Daly francis at daoine.org
More information about the nginx
mailing list