António P. P. Almeida
March 08, 2011 02:18PM
On 8 Mar 2011 14h33 WET, nginx-forum@nginx.us wrote:

> Hi,
>
> I discovered a vulnerability in your best practice wiki article:
> http://wiki.nginx.org/Pitfalls#Proxy_Everything
>
> The configuration which is promoted as "good" doesn't work as
> intended:
>
> <<<>>>
> server {
> server_name _;
> root /var/www/site;
> location / {
> try_files $uri $uri/ @proxy;
> }
> location @proxy {
> include fastcgi_params;
> fastcgi_param SCRIPT_FILENAME
> $document_root$fastcgi_script_name;
> fastcgi_pass unix:/tmp/phpcgi.socket;
> }
> }
> <<<>>>
>
> try_files checks if a file exists and if it does, it is simply
> returned to the browser. This is a good thing for static files, but
> with this configuration PHP files are not parsed.
>
> <<<>>>
> $ curl -i http://foo.lan/info.php
> HTTP/1.1 200 OK
> Server: nginx/0.8.54
> Date: Tue, 08 Mar 2011 14:08:07 GMT
> Content-Type: application/octet-stream
> Content-Length: 20
> Last-Modified: Tue, 08 Mar 2011 13:05:32 GMT
> Connection: keep-alive
> Accept-Ranges: bytes
>
> <?php phpinfo(); ?>
> <<<>>>
>
> The configuration works, i.e. the PHP files are parsed, only in one
> case: If nginx believes the files does not exist (although it does)
> and handles the request to the FastCGI instance.
>
> <<<>>>
> C:\Users\Lukas>curl -i http://foo.lan/info.php/asdf
> HTTP/1.1 200 OK
> Server: nginx/0.8.54
> Date: Tue, 08 Mar 2011 14:21:17 GMT
> Content-Type: text/html
> Transfer-Encoding: chunked
> Connection: keep-alive
> X-Powered-By: PHP/5.3.5-1 <-------- This file was parsed by PHP as
> intended.
>
> [...]
> <<<>>>

That's a generic example. The pitfalls page is meant to warn you
against some inadvisable practices. It's not meant to be a config
recipe. You should always adapt your config to your application.

As a rule all PHP (or whatever language file) scripts should be
enumerated in the config, if possible with exact matchings, or if
using PATHINFO with the correct pattern.

Otherwise you're setting yourself up for getting p0wned.

--- appa


_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
Subject Author Posted

Vulnerability in "Proxy Everything" (Wiki article Pitfalls)

Lukas0907 March 08, 2011 09:33AM

Re: Vulnerability in "Proxy Everything" (Wiki article Pitfalls)

Ensiferous March 08, 2011 11:08AM

Re: Vulnerability in "Proxy Everything" (Wiki article Pitfalls)

António P. P. Almeida March 08, 2011 02:18PM

Re: Vulnerability in "Proxy Everything" (Wiki article Pitfalls)

Cliff Wells March 08, 2011 02:28PM

Re: Vulnerability in "Proxy Everything" (Wiki article Pitfalls)

Lukas0907 March 08, 2011 02:37PM

Re: Vulnerability in "Proxy Everything" (Wiki article Pitfalls)

Cliff Wells March 08, 2011 02:48PM

Re: Vulnerability in "Proxy Everything" (Wiki article Pitfalls)

António P. P. Almeida March 08, 2011 09:48PM

Re: Vulnerability in "Proxy Everything" (Wiki article Pitfalls)

Adrian von Stechow March 09, 2011 01:04AM

Re: Vulnerability in "Proxy Everything" (Wiki article Pitfalls)

genarg April 06, 2011 11:29AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 59
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready