nginx 0day exploit for nginx + fastcgi PHP

zsero nginx-forum at nginx.us
Tue Oct 30 17:01:58 UTC 2012


I know it's an old thread but my question really belongs to here.

1. Can you confirm that with recent PHP implementations (5.3.9+) this fix
isn't needed anymore?

2. Does it mean that some PHP implementations like the up-to-date ones in
DotDeb repository doesn't need it (PHP 5.4.8 and PHP 5.3.18), but Debian
stable still needs it (5.3.3-7+squeeze14)?
http://packages.debian.org/stable/php/
http://www.dotdeb.org/

Thanks!





Reinis Rozitis Wrote:
-------------------------------------------------------
> > Seriously if it doesn't works for lighttppd that use php fcgi and
> works
> > for nginx it is nginx issue isn't it ?
> 
> With certain configuration similar issues are also in apache but it
> doesn't necessary mean the webserver is at fault.
> 
> Since php 5.3.9 the fpm sapi has 'security.limit_extensions' 
> (defaults to '.php') which limits the extensions of the main script 
> FPM will allow to parse.
> It should prevent poor configuration mistakes.
> 
> 
> rr 
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,88845,232398#msg-232398



More information about the nginx mailing list