Welcome! Log In Create A New Profile

Advanced

Possible Arbitrary Code Execution with Null Bytes (Nginx + PHP)

Previous Message Next Message
Forum List Message List New Topic Print View
Joshua Zhu
August 25, 2011 11:06PM
Hi guys,

Just for your information, there is a security hole that may be exploited by
malicious users, when PHP and older versions of nginx (0.5.*, 0.6.*,
0.7 <= 0.7.65, 0.8 <= 0.8.37) being used. And it has been widely spread
these
days.

This vulnerability was found by Neal Poole and has been reported to Igor:
https://nealpoole.com/blog/2011/07/possible-arbitrary-code-execution-with-null-bytes-php-and-old-versions-of-nginx/

I do agree with Igor that it's not an issue of Nginx itself, but those lazy
system administrators should upgrade their Nginx to the latest version right

now.


Regards,

--
Joshua Zhu
Senior Software Engineer
Server Platforms Team at Taobao
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

Possible Arbitrary Code Execution with Null Bytes (Nginx + PHP)

Joshua Zhu August 25, 2011 11:06PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 179
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready