Welcome! Log In Create A New Profile

Advanced

Possible widespread PHP configuration issue - security risk

Ed W
August 27, 2010 11:28AM
Look, not had a lot of success raising this quietly. The Nginx wiki
has a number of very insecure PHP configuration suggestions. Anyone
using these example configurations should immediately review their
configuration and ensure that they aren't vulnerable to an upload attack
where uploaded files might be accidentally treated as executable files
by nginx

The core of the problem is that most of the example configurations
enable php scripts in *all* directories on the server. Coupled with
relatively poor upload handling (in most PHP apps) and you have an
upload attack waiting to blow up on you.

Try the following:

1) PHP Uploads allows (erk...)

Create a file test.php containing:
<?php echo 'hello' ?>

Try and upload this. If you can then probably turn off the server until
you fix the issue...

The attack is to construct a URL which points to the uploads directory, eg:
http://myserver/uploads/test.php


2) JPG uploads allowed, and wildcard ~ .php execution allowed

Create a test file test.jpg as follows:
# echo -e "\xff\xd8\xff\xe0\n<?php echo 'hello'; ?>" > test.jpg
# file test.jpg
test.jpg: JPEG image data

Now try and upload this test.jpg file to your server. If it succeeds
then probably turn off the server until you fix the issue...

The attack is to construct a URL which points to the uploads directory
and then append /.php on the URL, eg
http://myserver/uploads/test.jpg/.php

Under *certain* configurations (wildcard php without a specific
SCRIPT_URL set) this will cause the execution of test.jpg by the php
interpreter


The correct solution is where possible:
- Enable PHP only on files in certain directories (if possible). Exclude
upload dirs!
- Specifically disable (lots of) stuff on any upload locations!!
Remember configuration ordering in nginx puts regexp before named
locations (order is important)
- Use try_files and other techniques to additionally lock down uri to
file mapping
- Check for any Apache .htaccess files shipped with your app and
translate to nginx config where appropriate (eg blocking certain
locations completely)

There are plenty of examples of dangerous configuration on the nginx
wiki. eg the Wordpress initially presented configuration seems
vulnerable, but further down that page a more secure config is presented:
http://wiki.nginx.org/Wordpress
The Media wiki example seems to show the same vulnerability:
http://wiki.nginx.org/NginxMediaWiki

Please just treat your uploads directory carefully. It's a huge attack
vector.

Any volunteers to help improve the Wiki? Anyone got some better example
configurations (which are secure)? I don't use most of the PHP apps
listed, so hard to test their configurations?

Note this is not a problem with Nginx, this is a *configuration issue*.
However, the docs recommend such an insecure default configuration that
there must surely be loads of people vulnerable here...

Cheers

Ed W

_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
Subject Author Posted

Possible widespread PHP configuration issue - security risk

Ed W August 27, 2010 11:28AM

Re: Possible widespread PHP configuration issue - security risk

zuborg August 27, 2010 11:47AM

Re: Possible widespread PHP configuration issue - security risk

Jim Ohlstein August 27, 2010 11:50AM

Re: Possible widespread PHP configuration issue - security risk

Ed W August 27, 2010 12:10PM

Re: Possible widespread PHP configuration issue - security risk

Jim Ohlstein August 27, 2010 12:18PM

Re: Possible widespread PHP configuration issue - security risk

Ed W August 27, 2010 12:30PM

Re: Possible widespread PHP configuration issue - security risk

vesperto August 27, 2010 12:36PM

Re: Possible widespread PHP configuration issue - security risk

Ed W August 27, 2010 12:48PM

Re: Possible widespread PHP configuration issue - security risk

Cliff Wells August 27, 2010 01:14PM

Re: Possible widespread PHP configuration issue - security risk

Ed W August 27, 2010 01:24PM

Re: Possible widespread PHP configuration issue - security risk

Cliff Wells August 27, 2010 01:50PM

Re: Possible widespread PHP configuration issue - security risk

Ed W August 27, 2010 01:54PM

Re: Possible widespread PHP configuration issue - security risk

Ed W August 27, 2010 01:52PM

Re: Possible widespread PHP configuration issue - security risk

ubitux August 27, 2010 01:56PM

Re: Possible widespread PHP configuration issue - security risk

Cliff Wells August 27, 2010 02:10PM

Re: Possible widespread PHP configuration issue - security risk

Cliff Wells August 27, 2010 02:16PM

Re: Possible widespread PHP configuration issue - security risk

mike August 27, 2010 02:22PM

Re: Possible widespread PHP configuration issue - security risk

Cliff Wells August 27, 2010 02:44PM

Re: Possible widespread PHP configuration issue - security risk

Ed W August 28, 2010 06:38AM

Re: Possible widespread PHP configuration issue - security risk

brianmercer August 27, 2010 12:22PM

Re: Possible widespread PHP configuration issue - security risk

Ed W August 27, 2010 12:26PM

Re: Possible widespread PHP configuration issue - security risk

Ed W August 27, 2010 12:46PM

Re: Possible widespread PHP configuration issue - security risk

brianmercer August 27, 2010 01:17PM

Re: Possible widespread PHP configuration issue - security risk

Maxim Dounin August 27, 2010 01:26PM

Re: Possible widespread PHP configuration issue - security risk

Boris Dolgov August 27, 2010 01:26PM

Re: Possible widespread PHP configuration issue - security risk

Ed W August 27, 2010 01:38PM

Re: Possible widespread PHP configuration issue - security risk

Ed W August 27, 2010 12:52PM

Re: Possible widespread PHP configuration issue - security risk

Raina Gustafson August 27, 2010 01:02PM

Re: Possible widespread PHP configuration issue - security risk

Ensiferous August 30, 2010 12:46PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 215
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready