Welcome! Log In Create A New Profile

Advanced

Vulnerability in "Proxy Everything" (Wiki article Pitfalls)

March 08, 2011 09:33AM
Hi,

I discovered a vulnerability in your best practice wiki article: http://wiki.nginx.org/Pitfalls#Proxy_Everything

The configuration which is promoted as "good" doesn't work as intended:

<<<>>>
server {
server_name _;
root /var/www/site;
location / {
try_files $uri $uri/ @proxy;
}
location @proxy {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:/tmp/phpcgi.socket;
}
}
<<<>>>

try_files checks if a file exists and if it does, it is simply returned to the browser. This is a good thing for static files, but with this configuration PHP files are not parsed.

<<<>>>
$ curl -i http://foo.lan/info.php
HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Tue, 08 Mar 2011 14:08:07 GMT
Content-Type: application/octet-stream
Content-Length: 20
Last-Modified: Tue, 08 Mar 2011 13:05:32 GMT
Connection: keep-alive
Accept-Ranges: bytes

<?php phpinfo(); ?>
<<<>>>

The configuration works, i.e. the PHP files are parsed, only in one case: If nginx believes the files does not exist (although it does) and handles the request to the FastCGI instance.

<<<>>>
C:\Users\Lukas>curl -i http://foo.lan/info.php/asdf
HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Tue, 08 Mar 2011 14:21:17 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.5-1 <-------- This file was parsed by PHP as intended.

[...]
<<<>>>
Subject Author Posted

Vulnerability in "Proxy Everything" (Wiki article Pitfalls)

Lukas0907 March 08, 2011 09:33AM

Re: Vulnerability in "Proxy Everything" (Wiki article Pitfalls)

Ensiferous March 08, 2011 11:08AM

Re: Vulnerability in "Proxy Everything" (Wiki article Pitfalls)

António P. P. Almeida March 08, 2011 02:18PM

Re: Vulnerability in "Proxy Everything" (Wiki article Pitfalls)

Cliff Wells March 08, 2011 02:28PM

Re: Vulnerability in "Proxy Everything" (Wiki article Pitfalls)

Lukas0907 March 08, 2011 02:37PM

Re: Vulnerability in "Proxy Everything" (Wiki article Pitfalls)

Cliff Wells March 08, 2011 02:48PM

Re: Vulnerability in "Proxy Everything" (Wiki article Pitfalls)

António P. P. Almeida March 08, 2011 09:48PM

Re: Vulnerability in "Proxy Everything" (Wiki article Pitfalls)

Adrian von Stechow March 09, 2011 01:04AM

Re: Vulnerability in "Proxy Everything" (Wiki article Pitfalls)

genarg April 06, 2011 11:29AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 68
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready