Welcome! Log In Create A New Profile

Re: Possible widespread PHP configuration issue - security risk

Forum List Message List New Topic Print View

Cliff Wells

August 27, 2010 02:10PM

Registered: 15 years ago
Posts: 288

On Fri, 2010-08-27 at 19:52 +0200, ubitux wrote:
> On Fri, Aug 27, 2010 at 06:48:12PM +0100, Ed W wrote:
> > On 27/08/2010 18:05, Cliff Wells wrote:
> > >Nevertheless, I've updated the MediaWiki entry.
> >
> > I'm still having problems getting to the wiki - no .js files are
> > loading which is causing some wierd stuff to happen.
> >
> > However, my opinion is that just adding try_files is only a partial
> > fix. If some way is found to upload .php files (bad wikipedia
> > config) or some other exploit is found that can bypass the try_files
> > then we still have an issue.
> >
> > My mediawiki config does this:
> >
> > location ~ .*.php$ {
> > include /etc/nginx/fastcgi_params;
> > if ( $uri !~ "^/images/") {
> > fastcgi_pass localhost:9000;
> > }
> > }
> >
> > Others have already pointed out that we can do better than my IF.
> > However, your try_files, plus the explicit exclusion of the /images/
> > dir go a long way to secure mediawiki. Also I think the specific
> > exclusion of the /images/ dir becomes quite self-documenting,
> > whereas the try_files is quite a subtle fix?
> >
>
> Why don't you just check if the file exists?
>
> I use something like that:
>
> location ~ \.php$ {
> if (!-f $request_filename) {
> return 404;
> }
> fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
> fastcgi_param SCRIPT_FILENAME $vpath/$fastcgi_script_name;
> include fastcgi_params;
> }

That's exactly equivalent to the try_files, except longer and using a
deprecated feature.

Cliff

_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 11:28AM
Re: Possible widespread PHP configuration issue - security risk	zuborg	August 27, 2010 11:47AM
Re: Possible widespread PHP configuration issue - security risk	Jim Ohlstein	August 27, 2010 11:50AM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 12:10PM
Re: Possible widespread PHP configuration issue - security risk	Jim Ohlstein	August 27, 2010 12:18PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 12:30PM
Re: Possible widespread PHP configuration issue - security risk	vesperto	August 27, 2010 12:36PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 12:48PM
Re: Possible widespread PHP configuration issue - security risk	Cliff Wells	August 27, 2010 01:14PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 01:24PM
Re: Possible widespread PHP configuration issue - security risk	Cliff Wells	August 27, 2010 01:50PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 01:54PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 01:52PM
Re: Possible widespread PHP configuration issue - security risk	ubitux	August 27, 2010 01:56PM
Re: Possible widespread PHP configuration issue - security risk	Cliff Wells	August 27, 2010 02:10PM
Re: Possible widespread PHP configuration issue - security risk	Cliff Wells	August 27, 2010 02:16PM
Re: Possible widespread PHP configuration issue - security risk	mike	August 27, 2010 02:22PM
Re: Possible widespread PHP configuration issue - security risk	Cliff Wells	August 27, 2010 02:44PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 28, 2010 06:38AM
Re: Possible widespread PHP configuration issue - security risk	brianmercer	August 27, 2010 12:22PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 12:26PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 12:46PM
Re: Possible widespread PHP configuration issue - security risk	brianmercer	August 27, 2010 01:17PM
Re: Possible widespread PHP configuration issue - security risk	Maxim Dounin	August 27, 2010 01:26PM
Re: Possible widespread PHP configuration issue - security risk	Boris Dolgov	August 27, 2010 01:26PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 01:38PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 12:52PM
Re: Possible widespread PHP configuration issue - security risk	Raina Gustafson	August 27, 2010 01:02PM
Re: Possible widespread PHP configuration issue - security risk	Ensiferous	August 30, 2010 12:46PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 133

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018