Passing Uncontrolled Requests to PHP
António P. P. Almeida
appa at perusio.net
Thu Feb 13 16:51:03 UTC 2014
No you're just addressing the cgi_fixpathinfo issue. If I manage to upload
a file called owned.php
I can execute it because you don't whitelist the scripts that can be
executed.
----appa
On Thu, Feb 13, 2014 at 5:44 PM, Grant <emailgrant at gmail.com> wrote:
> Does the wiki example mitigate the "Passing Uncontrolled Requests to PHP"
> risk?
>
> location ~ [^/]\.php(/|$) {
> fastcgi_split_path_info ^(.+?\.php)(/.*)$;
> if (!-f $document_root$fastcgi_script_name) {
> return 404;
> }
>
> fastcgi_pass 127.0.0.1:9000;
> fastcgi_index index.php;
> include fastcgi_params;
> }
>
> http://wiki.nginx.org/PHPFcgiExample
>
> http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP
>
> If not, I'd like to update it.
>
> - Grant
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20140213/f6e26aea/attachment.html>
More information about the nginx
mailing list