Hello. I am using nginx 1.0.0 in windows
As I am aware of an issue with php-cgi and nginx that may lead to remote code execution I've been hardening configuration to workaround issues.
The issue is explained here: http://www.80sec.com/nginx-securit.html
I was using this in server{} configuration
-------------------------------------------------------
if ( $fastcgi_script_name *~ \..*\/.*php ) {
return 403;
}
-------------------------------------------------------
A few months ago I found a better to handle this issue without using the piece of code above:
-------------------------------------------------------
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
location ~ .*\.php$ {
# do not pass non-existent files for security reasons
if (!-f $document_root$fastcgi_script_name){ return 404; }
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
-------------------------------------------------------
Today I found an even better way to handle this but (I think) have found a bug:
This doesn't work:
-------------------------------------------------------
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
location ~ .*\.php$ {
# do not pass non-existent files for security reasons
if (-f $document_root$fastcgi_script_name) {
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
}
}
-------------------------------------------------------
This does work:
-------------------------------------------------------
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
location ~ .*\.php$ {
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
# do not pass non-existent files for security reasons
if (-f $document_root$fastcgi_script_name) {
fastcgi_pass 127.0.0.1:9000;
}
}
-------------------------------------------------------
Edited 1 time(s). Last edit at 04/18/2011 02:48PM by NewEraCracker.