nginx 0day exploit for nginx + fastcgi PHP
zsero
nginx-forum at nginx.us
Tue Oct 30 17:01:58 UTC 2012
I know it's an old thread but my question really belongs to here.
1. Can you confirm that with recent PHP implementations (5.3.9+) this fix
isn't needed anymore?
2. Does it mean that some PHP implementations like the up-to-date ones in
DotDeb repository doesn't need it (PHP 5.4.8 and PHP 5.3.18), but Debian
stable still needs it (5.3.3-7+squeeze14)?
http://packages.debian.org/stable/php/
http://www.dotdeb.org/
Thanks!
Reinis Rozitis Wrote:
-------------------------------------------------------
> > Seriously if it doesn't works for lighttppd that use php fcgi and
> works
> > for nginx it is nginx issue isn't it ?
>
> With certain configuration similar issues are also in apache but it
> doesn't necessary mean the webserver is at fault.
>
> Since php 5.3.9 the fpm sapi has 'security.limit_extensions'
> (defaults to '.php') which limits the extensions of the main script
> FPM will allow to parse.
> It should prevent poor configuration mistakes.
>
>
> rr
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
Posted at Nginx Forum: http://forum.nginx.org/read.php?2,88845,232398#msg-232398
More information about the nginx
mailing list