Welcome! Log In Create A New Profile

Advanced

Re: Possible widespread PHP configuration issue - security risk

Ed W
August 27, 2010 12:46PM
Hi

> More discussion and proposed fixes here:
> http://forum.nginx.org/read.php?2,88845,88996

Thanks for the link.

However, I have to say with my "typical user" hat on: I started reading
the thread, got about halfway through, skipped to the end to find some
kind of executive summary and then came away deciding that it looked too
complicated...

Look, there are some smart cookies here and I'm sure most of the people
on this list have their server's setup securely. However, there are a
massive 99% of other people who just want to cut and paste a config and
it's my opinion that the default configs they are likely using have big
holes in them


This isn't new stuff. EVERY web app needs to secure the uploads
directory. The point is more that the main config examples are for
Apache and less skilled nginx users will easily miss these subtleties.

I last posted about this 23/2/2009. Didn't raise the slightest interest
then either.

> In addition to:
>
> 1. disabling .php execution in upload directories;

Yes, but this isn't that obvious how to do?

> 2. adding a try_files to your .php location to check that the requested
> .php file exists;

I agree. However, we still don't have a cut'n'paste solution for the
average user?


> if you have software that needs the path_info feature. The only thing I
> use that does is chive.

Actually I think we might be overthinking the problem here. I don't
think it's the path_info which is the problem - the post you mentioned
was really just a special case of getting the interpreter to run
something in the uploads dir. I think the big final config change is to
give a more generic way to avoid running files in the upload dir *at
all*. All the other stuff such as try_files, etc is really icing after
that?


Look, heres my best attempt. I think it's poor hence I hope someone has
a better suggestion:


Single script, enable only that single script:

location ~ /blah/script\.php$ {
include /etc/nginx/fastcgi_params;
fastcgi_pass localhost:9000;
}

Exclude single dir, everything else executable:

location ~ .*.php$ {
include /etc/nginx/fastcgi_params;
if ( $uri !~ "^/images/") {
fastcgi_pass localhost:9000;
}
}


> Thanks in advance for updating the wiki

I don't know what the definitive solution should be yet? All I see are
a very confused bunch of posts showing how if you are an nginx guru it
won't happen to you..? Lets get a core solution shall we and then we
can work from there?


Ed W

_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
Subject Author Posted

Possible widespread PHP configuration issue - security risk

Ed W August 27, 2010 11:28AM

Re: Possible widespread PHP configuration issue - security risk

zuborg August 27, 2010 11:47AM

Re: Possible widespread PHP configuration issue - security risk

Jim Ohlstein August 27, 2010 11:50AM

Re: Possible widespread PHP configuration issue - security risk

Ed W August 27, 2010 12:10PM

Re: Possible widespread PHP configuration issue - security risk

Jim Ohlstein August 27, 2010 12:18PM

Re: Possible widespread PHP configuration issue - security risk

Ed W August 27, 2010 12:30PM

Re: Possible widespread PHP configuration issue - security risk

vesperto August 27, 2010 12:36PM

Re: Possible widespread PHP configuration issue - security risk

Ed W August 27, 2010 12:48PM

Re: Possible widespread PHP configuration issue - security risk

Cliff Wells August 27, 2010 01:14PM

Re: Possible widespread PHP configuration issue - security risk

Ed W August 27, 2010 01:24PM

Re: Possible widespread PHP configuration issue - security risk

Cliff Wells August 27, 2010 01:50PM

Re: Possible widespread PHP configuration issue - security risk

Ed W August 27, 2010 01:54PM

Re: Possible widespread PHP configuration issue - security risk

Ed W August 27, 2010 01:52PM

Re: Possible widespread PHP configuration issue - security risk

ubitux August 27, 2010 01:56PM

Re: Possible widespread PHP configuration issue - security risk

Cliff Wells August 27, 2010 02:10PM

Re: Possible widespread PHP configuration issue - security risk

Cliff Wells August 27, 2010 02:16PM

Re: Possible widespread PHP configuration issue - security risk

mike August 27, 2010 02:22PM

Re: Possible widespread PHP configuration issue - security risk

Cliff Wells August 27, 2010 02:44PM

Re: Possible widespread PHP configuration issue - security risk

Ed W August 28, 2010 06:38AM

Re: Possible widespread PHP configuration issue - security risk

brianmercer August 27, 2010 12:22PM

Re: Possible widespread PHP configuration issue - security risk

Ed W August 27, 2010 12:26PM

Re: Possible widespread PHP configuration issue - security risk

Ed W August 27, 2010 12:46PM

Re: Possible widespread PHP configuration issue - security risk

brianmercer August 27, 2010 01:17PM

Re: Possible widespread PHP configuration issue - security risk

Maxim Dounin August 27, 2010 01:26PM

Re: Possible widespread PHP configuration issue - security risk

Boris Dolgov August 27, 2010 01:26PM

Re: Possible widespread PHP configuration issue - security risk

Ed W August 27, 2010 01:38PM

Re: Possible widespread PHP configuration issue - security risk

Ed W August 27, 2010 12:52PM

Re: Possible widespread PHP configuration issue - security risk

Raina Gustafson August 27, 2010 01:02PM

Re: Possible widespread PHP configuration issue - security risk

Ensiferous August 30, 2010 12:46PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 259
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready