Welcome! Log In Create A New Profile

Re: Possible widespread PHP configuration issue - security risk

Forum List Message List New Topic Print View

Cliff Wells

August 27, 2010 02:44PM

Registered: 15 years ago
Posts: 288

On Fri, 2010-08-27 at 11:15 -0700, Michael Shadle wrote:
> On Fri, Aug 27, 2010 at 11:13 AM, Cliff Wells <cliff@develix.com> wrote:
>
> > It is subtle, but all fixes are, because the underlying vulnerability is
> > quite subtle. What user isn't going to look at that and say to
> > themselves "why do I need this if statement?". Just use the try_files
> > and add a comment to its purpose.
>
> The caveat with try_files is it means nginx has filesystem access to
> check the existence of the file and an additional stat call (or more)
> - it can be in the open file cache, modern systems it's not a huge
> deal, etc, etc.
>
> But it won't help if you're fastcgi_pass to a remote server that nginx
> does not have the same path to the file (or have access to the php
> file) at all.

Good point. I do prefer your more general fix, although I'd like
confirmation that it does fully address the issue (the whole split_path
thing is too weird for me to want to try to understand).

Regards,
Cliff

_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 11:28AM
Re: Possible widespread PHP configuration issue - security risk	zuborg	August 27, 2010 11:47AM
Re: Possible widespread PHP configuration issue - security risk	Jim Ohlstein	August 27, 2010 11:50AM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 12:10PM
Re: Possible widespread PHP configuration issue - security risk	Jim Ohlstein	August 27, 2010 12:18PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 12:30PM
Re: Possible widespread PHP configuration issue - security risk	vesperto	August 27, 2010 12:36PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 12:48PM
Re: Possible widespread PHP configuration issue - security risk	Cliff Wells	August 27, 2010 01:14PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 01:24PM
Re: Possible widespread PHP configuration issue - security risk	Cliff Wells	August 27, 2010 01:50PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 01:54PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 01:52PM
Re: Possible widespread PHP configuration issue - security risk	ubitux	August 27, 2010 01:56PM
Re: Possible widespread PHP configuration issue - security risk	Cliff Wells	August 27, 2010 02:10PM
Re: Possible widespread PHP configuration issue - security risk	Cliff Wells	August 27, 2010 02:16PM
Re: Possible widespread PHP configuration issue - security risk	mike	August 27, 2010 02:22PM
Re: Possible widespread PHP configuration issue - security risk	Cliff Wells	August 27, 2010 02:44PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 28, 2010 06:38AM
Re: Possible widespread PHP configuration issue - security risk	brianmercer	August 27, 2010 12:22PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 12:26PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 12:46PM
Re: Possible widespread PHP configuration issue - security risk	brianmercer	August 27, 2010 01:17PM
Re: Possible widespread PHP configuration issue - security risk	Maxim Dounin	August 27, 2010 01:26PM
Re: Possible widespread PHP configuration issue - security risk	Boris Dolgov	August 27, 2010 01:26PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 01:38PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 12:52PM
Re: Possible widespread PHP configuration issue - security risk	Raina Gustafson	August 27, 2010 01:02PM
Re: Possible widespread PHP configuration issue - security risk	Ensiferous	August 30, 2010 12:46PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 161

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018