Welcome! Log In Create A New Profile

Advanced

Re: Vulnerability in "Proxy Everything" (Wiki article Pitfalls)

Adrian von Stechow
March 09, 2011 01:04AM
This was a discussion in this ML a few weeks ago labelled "nginx 0day"
or so. There were a few sample configs that don't run into this
problem posted. I check for existence of the php file inside the proxy
location with
try_files $uri =403
for example.
And of course always be sure to have cgi.fix_pathinfo=0 if you don't need it.

bb, proud owner of a hacked pathinfo box.

On 08.03.2011, at 20:15, António P. P. Almeida <appa@perusio.net> wrote:

> On 8 Mar 2011 14h33 WET, nginx-forum@nginx.us wrote:
>
>> Hi,
>>
>> I discovered a vulnerability in your best practice wiki article:
>> http://wiki.nginx.org/Pitfalls#Proxy_Everything
>>
>> The configuration which is promoted as "good" doesn't work as
>> intended:
>>
>> <<<>>>
>> server {
>> server_name _;
>> root /var/www/site;
>> location / {
>> try_files $uri $uri/ @proxy;
>> }
>> location @proxy {
>> include fastcgi_params;
>> fastcgi_param SCRIPT_FILENAME
>> $document_root$fastcgi_script_name;
>> fastcgi_pass unix:/tmp/phpcgi.socket;
>> }
>> }
>> <<<>>>
>>
>> try_files checks if a file exists and if it does, it is simply
>> returned to the browser. This is a good thing for static files, but
>> with this configuration PHP files are not parsed.
>>
>> <<<>>>
>> $ curl -i http://foo.lan/info.php
>> HTTP/1.1 200 OK
>> Server: nginx/0.8.54
>> Date: Tue, 08 Mar 2011 14:08:07 GMT
>> Content-Type: application/octet-stream
>> Content-Length: 20
>> Last-Modified: Tue, 08 Mar 2011 13:05:32 GMT
>> Connection: keep-alive
>> Accept-Ranges: bytes
>>
>> <?php phpinfo(); ?>
>> <<<>>>
>>
>> The configuration works, i.e. the PHP files are parsed, only in one
>> case: If nginx believes the files does not exist (although it does)
>> and handles the request to the FastCGI instance.
>>
>> <<<>>>
>> C:\Users\Lukas>curl -i http://foo.lan/info.php/asdf
>> HTTP/1.1 200 OK
>> Server: nginx/0.8.54
>> Date: Tue, 08 Mar 2011 14:21:17 GMT
>> Content-Type: text/html
>> Transfer-Encoding: chunked
>> Connection: keep-alive
>> X-Powered-By: PHP/5.3.5-1 <-------- This file was parsed by PHP as
>> intended.
>>
>> [...]
>> <<<>>>
>
> That's a generic example. The pitfalls page is meant to warn you
> against some inadvisable practices. It's not meant to be a config
> recipe. You should always adapt your config to your application.
>
> As a rule all PHP (or whatever language file) scripts should be
> enumerated in the config, if possible with exact matchings, or if
> using PATHINFO with the correct pattern.
>
> Otherwise you're setting yourself up for getting p0wned.
>
> --- appa
>
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
Subject Author Posted

Vulnerability in "Proxy Everything" (Wiki article Pitfalls)

Lukas0907 March 08, 2011 09:33AM

Re: Vulnerability in "Proxy Everything" (Wiki article Pitfalls)

Ensiferous March 08, 2011 11:08AM

Re: Vulnerability in "Proxy Everything" (Wiki article Pitfalls)

António P. P. Almeida March 08, 2011 02:18PM

Re: Vulnerability in "Proxy Everything" (Wiki article Pitfalls)

Cliff Wells March 08, 2011 02:28PM

Re: Vulnerability in "Proxy Everything" (Wiki article Pitfalls)

Lukas0907 March 08, 2011 02:37PM

Re: Vulnerability in "Proxy Everything" (Wiki article Pitfalls)

Cliff Wells March 08, 2011 02:48PM

Re: Vulnerability in "Proxy Everything" (Wiki article Pitfalls)

António P. P. Almeida March 08, 2011 09:48PM

Re: Vulnerability in "Proxy Everything" (Wiki article Pitfalls)

Adrian von Stechow March 09, 2011 01:04AM

Re: Vulnerability in "Proxy Everything" (Wiki article Pitfalls)

genarg April 06, 2011 11:29AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 81
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready