Welcome! Log In Create A New Profile

Re: Possible widespread PHP configuration issue - security risk

Forum List Message List New Topic Print View

brianmercer

August 27, 2010 12:22PM

Registered: 14 years ago
Posts: 65

Ed W Wrote:
-------------------------------------------------------
> Look, not had a lot of success raising this
> quietly. The Nginx wiki
> has a number of very insecure PHP configuration
> suggestions. Anyone
> using these example configurations should
> immediately review their
> configuration and ensure that they aren't
> vulnerable to an upload attack
> where uploaded files might be accidentally treated
> as executable files
> by nginx
>

More discussion and proposed fixes here: http://forum.nginx.org/read.php?2,88845,88996

In addition to:

1. disabling .php execution in upload directories;
2. adding a try_files to your .php location to check that the requested .php file exists;
you can also change this setting in php.ini

cgi.fix_pathinfo=1

to

cgi.fix_pathinfo=0

to disable that feature and then use

location ~ ^(.+\.php)(.*)$ {
try_files $uri =404;
include /etc/nginx/fastcgi_params;
fastcgi_index index.php;
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass http://localhost:9000;
}

if you have software that needs the path_info feature. The only thing I use that does is chive.

Thanks in advance for updating the wiki

Reply Quote

RSS

Subject	Author	Posted
Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 11:28AM
Re: Possible widespread PHP configuration issue - security risk	zuborg	August 27, 2010 11:47AM
Re: Possible widespread PHP configuration issue - security risk	Jim Ohlstein	August 27, 2010 11:50AM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 12:10PM
Re: Possible widespread PHP configuration issue - security risk	Jim Ohlstein	August 27, 2010 12:18PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 12:30PM
Re: Possible widespread PHP configuration issue - security risk	vesperto	August 27, 2010 12:36PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 12:48PM
Re: Possible widespread PHP configuration issue - security risk	Cliff Wells	August 27, 2010 01:14PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 01:24PM
Re: Possible widespread PHP configuration issue - security risk	Cliff Wells	August 27, 2010 01:50PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 01:54PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 01:52PM
Re: Possible widespread PHP configuration issue - security risk	ubitux	August 27, 2010 01:56PM
Re: Possible widespread PHP configuration issue - security risk	Cliff Wells	August 27, 2010 02:10PM
Re: Possible widespread PHP configuration issue - security risk	Cliff Wells	August 27, 2010 02:16PM
Re: Possible widespread PHP configuration issue - security risk	mike	August 27, 2010 02:22PM
Re: Possible widespread PHP configuration issue - security risk	Cliff Wells	August 27, 2010 02:44PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 28, 2010 06:38AM
Re: Possible widespread PHP configuration issue - security risk	brianmercer	August 27, 2010 12:22PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 12:26PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 12:46PM
Re: Possible widespread PHP configuration issue - security risk	brianmercer	August 27, 2010 01:17PM
Re: Possible widespread PHP configuration issue - security risk	Maxim Dounin	August 27, 2010 01:26PM
Re: Possible widespread PHP configuration issue - security risk	Boris Dolgov	August 27, 2010 01:26PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 01:38PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 12:52PM
Re: Possible widespread PHP configuration issue - security risk	Raina Gustafson	August 27, 2010 01:02PM
Re: Possible widespread PHP configuration issue - security risk	Ensiferous	August 30, 2010 12:46PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 322

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018