Welcome! Log In Create A New Profile

Re: Possible widespread PHP configuration issue - security risk

Forum List Message List New Topic Print View

Ed W

August 27, 2010 01:38PM

Hi

> Your situation number 2 is about path info which is enabled in PHP by
> default so that requests like
>
> http://mysite.com/chive/index.php/site/login
>
> will work. Most web apps don't need the cgi.fix_pathinfo feature turned
> on. Drupal, Wordpress use queries. i.e.
> http://mysite.com/wordpress/index.php?q=/site/login
>
> Some things like chive need the path info feature, and so the PHP devs
> ship PHP with cgi.fix_pathinfo turned on by default, which leads to the
> vulnerability with common nginx configurations. Luckily, nginx has
> support for pathinfo without enabling cgi.fix_pathinfo in php. I noted
> the config above.

Thanks for clarifying this - I guess I didn't understand my own example
correctly

This stuff is quite subtle - I hope we are getting somewhere towards a
generic config starting point now...

> The only solution is to alert people to these complexities, and to
> update the sample configs on the wiki. Unfortunately, there's about a
> thousand sample configs on the web which don't account for this issue.
> A page on the wiki specifically addressing upload directories and
> cgi.fix_pathinfo would also be a good idea.

Sounds excellent - I'm hoping some smarter folks can also suggest a
baseline cgi config and then we have all the bits together?

Note some other smart people might point out that there are other nginx
specific config that might usefully be applied to untrusted upload
directories? Anyone think of anything that might be missed along the
SSI/directory listing line that could be abused?

Cheers

Ed W

_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 11:28AM
Re: Possible widespread PHP configuration issue - security risk	zuborg	August 27, 2010 11:47AM
Re: Possible widespread PHP configuration issue - security risk	Jim Ohlstein	August 27, 2010 11:50AM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 12:10PM
Re: Possible widespread PHP configuration issue - security risk	Jim Ohlstein	August 27, 2010 12:18PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 12:30PM
Re: Possible widespread PHP configuration issue - security risk	vesperto	August 27, 2010 12:36PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 12:48PM
Re: Possible widespread PHP configuration issue - security risk	Cliff Wells	August 27, 2010 01:14PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 01:24PM
Re: Possible widespread PHP configuration issue - security risk	Cliff Wells	August 27, 2010 01:50PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 01:54PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 01:52PM
Re: Possible widespread PHP configuration issue - security risk	ubitux	August 27, 2010 01:56PM
Re: Possible widespread PHP configuration issue - security risk	Cliff Wells	August 27, 2010 02:10PM
Re: Possible widespread PHP configuration issue - security risk	Cliff Wells	August 27, 2010 02:16PM
Re: Possible widespread PHP configuration issue - security risk	mike	August 27, 2010 02:22PM
Re: Possible widespread PHP configuration issue - security risk	Cliff Wells	August 27, 2010 02:44PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 28, 2010 06:38AM
Re: Possible widespread PHP configuration issue - security risk	brianmercer	August 27, 2010 12:22PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 12:26PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 12:46PM
Re: Possible widespread PHP configuration issue - security risk	brianmercer	August 27, 2010 01:17PM
Re: Possible widespread PHP configuration issue - security risk	Maxim Dounin	August 27, 2010 01:26PM
Re: Possible widespread PHP configuration issue - security risk	Boris Dolgov	August 27, 2010 01:26PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 01:38PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 12:52PM
Re: Possible widespread PHP configuration issue - security risk	Raina Gustafson	August 27, 2010 01:02PM
Re: Possible widespread PHP configuration issue - security risk	Ensiferous	August 30, 2010 12:46PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 260

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018