On Wed, Aug 4, 2010 at 2:44 PM, Ed W <lists@wildgooses.com> wrote:
> However, all the default configs that I have seen for PHP setups on the
> wiki, etc, seem insecure to my mind. They nearly all point *all* files
> named xx.php to be processed by the your php interpreter. Coupled with
> nearly all non trivial applications having some "upload" feature this allows
> a gaping potential issue to upload arbitrary files named xx.php and you are
> allowing arbitrary code to be uploaded...
Someone just posted this on my blog:
location ~ \.php$ {
....
try_files $uri =404;
...
}
exploit http://site.ru/images/as5df3.jpeg/.php
might be an interesting approach, haven't tried it yet. would this add
an additional stat call or two though for every PHP request, Igor?
_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx