Welcome! Log In Create A New Profile

Advanced

Re: Possible widespread PHP configuration issue - security risk

August 27, 2010 01:17PM
Ed W Wrote:
-------------------------------------------------------
> This isn't new stuff. EVERY web app needs to
> secure the uploads
> directory. The point is more that the main config
> examples are for
> Apache and less skilled nginx users will easily
> miss these subtleties.
>

As you say, your web app should have a plan for mitigating the dangers of user uploads. Drupal puts an .htaccess file in the upload directory which changes the apache file handler. Of course, that does nothing with nginx and so you want something like

location ~ .*/files/.* {
try_files $uri =404 # or index.php?q=$uri or @drupal depending on your config
}

located before your location ~ .php so you get a match on the files directory and you don't execute malicious .php. Or something more restrictive when it comes to .php files like specifying the permitted executable files explicitly. see http://test.brianmercer.com/content/nginx-configuration-drupal

> I don't think it's the path_info which is the problem -

Your situation number 2 is about path info which is enabled in PHP by default so that requests like

http://mysite.com/chive/index.php/site/login

will work. Most web apps don't need the cgi.fix_pathinfo feature turned on. Drupal, Wordpress use queries. i.e. http://mysite.com/wordpress/index.php?q=/site/login

Some things like chive need the path info feature, and so the PHP devs ship PHP with cgi.fix_pathinfo turned on by default, which leads to the vulnerability with common nginx configurations. Luckily, nginx has support for pathinfo without enabling cgi.fix_pathinfo in php. I noted the config above.

The only solution is to alert people to these complexities, and to update the sample configs on the wiki. Unfortunately, there's about a thousand sample configs on the web which don't account for this issue. A page on the wiki specifically addressing upload directories and cgi.fix_pathinfo would also be a good idea.
Subject Author Posted

Possible widespread PHP configuration issue - security risk

Ed W August 27, 2010 11:28AM

Re: Possible widespread PHP configuration issue - security risk

zuborg August 27, 2010 11:47AM

Re: Possible widespread PHP configuration issue - security risk

Jim Ohlstein August 27, 2010 11:50AM

Re: Possible widespread PHP configuration issue - security risk

Ed W August 27, 2010 12:10PM

Re: Possible widespread PHP configuration issue - security risk

Jim Ohlstein August 27, 2010 12:18PM

Re: Possible widespread PHP configuration issue - security risk

Ed W August 27, 2010 12:30PM

Re: Possible widespread PHP configuration issue - security risk

vesperto August 27, 2010 12:36PM

Re: Possible widespread PHP configuration issue - security risk

Ed W August 27, 2010 12:48PM

Re: Possible widespread PHP configuration issue - security risk

Cliff Wells August 27, 2010 01:14PM

Re: Possible widespread PHP configuration issue - security risk

Ed W August 27, 2010 01:24PM

Re: Possible widespread PHP configuration issue - security risk

Cliff Wells August 27, 2010 01:50PM

Re: Possible widespread PHP configuration issue - security risk

Ed W August 27, 2010 01:54PM

Re: Possible widespread PHP configuration issue - security risk

Ed W August 27, 2010 01:52PM

Re: Possible widespread PHP configuration issue - security risk

ubitux August 27, 2010 01:56PM

Re: Possible widespread PHP configuration issue - security risk

Cliff Wells August 27, 2010 02:10PM

Re: Possible widespread PHP configuration issue - security risk

Cliff Wells August 27, 2010 02:16PM

Re: Possible widespread PHP configuration issue - security risk

mike August 27, 2010 02:22PM

Re: Possible widespread PHP configuration issue - security risk

Cliff Wells August 27, 2010 02:44PM

Re: Possible widespread PHP configuration issue - security risk

Ed W August 28, 2010 06:38AM

Re: Possible widespread PHP configuration issue - security risk

brianmercer August 27, 2010 12:22PM

Re: Possible widespread PHP configuration issue - security risk

Ed W August 27, 2010 12:26PM

Re: Possible widespread PHP configuration issue - security risk

Ed W August 27, 2010 12:46PM

Re: Possible widespread PHP configuration issue - security risk

brianmercer August 27, 2010 01:17PM

Re: Possible widespread PHP configuration issue - security risk

Maxim Dounin August 27, 2010 01:26PM

Re: Possible widespread PHP configuration issue - security risk

Boris Dolgov August 27, 2010 01:26PM

Re: Possible widespread PHP configuration issue - security risk

Ed W August 27, 2010 01:38PM

Re: Possible widespread PHP configuration issue - security risk

Ed W August 27, 2010 12:52PM

Re: Possible widespread PHP configuration issue - security risk

Raina Gustafson August 27, 2010 01:02PM

Re: Possible widespread PHP configuration issue - security risk

Ensiferous August 30, 2010 12:46PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 104
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready