Passing Uncontrolled Requests to PHP
Grant
emailgrant at gmail.com
Thu Feb 13 16:57:58 UTC 2014
> No you're just addressing the cgi_fixpathinfo issue. If I manage to upload a
> file called owned.php
> I can execute it because you don't whitelist the scripts that can be
> executed.
So disabling PHP execution in user upload directories and using the
location block from the wiki should mitigate this risk?
- Grant
>> Does the wiki example mitigate the "Passing Uncontrolled Requests to PHP"
>> risk?
>>
>> location ~ [^/]\.php(/|$) {
>> fastcgi_split_path_info ^(.+?\.php)(/.*)$;
>> if (!-f $document_root$fastcgi_script_name) {
>> return 404;
>> }
>>
>> fastcgi_pass 127.0.0.1:9000;
>> fastcgi_index index.php;
>> include fastcgi_params;
>> }
>>
>> http://wiki.nginx.org/PHPFcgiExample
>>
>> http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP
>>
>> If not, I'd like to update it.
>>
>> - Grant
More information about the nginx
mailing list