Welcome! Log In Create A New Profile

Advanced

Minor FastCGI issues

Posted by NewEraCracker 
Minor FastCGI issues
April 18, 2011 02:45PM
Hello. I am using nginx 1.0.0 in windows

As I am aware of an issue with php-cgi and nginx that may lead to remote code execution I've been hardening configuration to workaround issues.

The issue is explained here: http://www.80sec.com/nginx-securit.html

I was using this in server{} configuration
-------------------------------------------------------
if ( $fastcgi_script_name *~ \..*\/.*php ) {
return 403;
}
-------------------------------------------------------

A few months ago I found a better to handle this issue without using the piece of code above:
-------------------------------------------------------
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
location ~ .*\.php$ {

# do not pass non-existent files for security reasons
if (!-f $document_root$fastcgi_script_name){ return 404; }

fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
-------------------------------------------------------

Today I found an even better way to handle this but (I think) have found a bug:
This doesn't work:
-------------------------------------------------------
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
location ~ .*\.php$ {

# do not pass non-existent files for security reasons
if (-f $document_root$fastcgi_script_name) {
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
}
}
-------------------------------------------------------
This does work:
-------------------------------------------------------
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
location ~ .*\.php$ {

fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;

# do not pass non-existent files for security reasons
if (-f $document_root$fastcgi_script_name) {
fastcgi_pass 127.0.0.1:9000;
}
}
-------------------------------------------------------



Edited 1 time(s). Last edit at 04/18/2011 02:48PM by NewEraCracker.
Re: Minor FastCGI issues
April 18, 2011 02:57PM
Oh and by the way. if you turn on php fastcgi in default nginx configuration it will fail to display a directory if name ends in .php

Example:

Create a directory named test.php in www
create an index.php inside test.php dir

http://localhost/test.php will fail
http://localhost/test.php/ will work

Its related to this issue by the way :)

Hope this helps,

Regards,
NewEraCracker



Edited 1 time(s). Last edit at 04/18/2011 02:57PM by NewEraCracker.
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 100
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready