Welcome! Log In Create A New Profile

Advanced

Re: Some security vulnerable

Thomas Love
June 05, 2011 09:42AM
On 5 June 2011 12:01, Kraiser <nginx-forum@nginx.us> wrote:
> What do you guys think about implement this into nginx just like it is
> in apache?
> if ( $fastcgi_script_name ~ \..*\/.*php ) {
> return 403;
> }
> because without that some servers which allows to upload images are
> vulnerable to external exploits.
>

They're vulnerable because of bad site design and configuration
(although I do think nginx's location parsing logic makes it
uncomfortably easy to produce insecure configurations). Why not
eliminate the vulnerability instead of hardening against it with more
configuration? The .php match should not be attempted in any untrusted
user-upload directory -- use sub-locations.

Thomas

_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
Subject Author Posted

Some security vulnerable

Kraiser June 05, 2011 06:01AM

Re: Some security vulnerable

edogawaconan June 05, 2011 06:26AM

Re: Some security vulnerable

Ensiferous June 05, 2011 07:20AM

Re: Some security vulnerable

Kraiser June 05, 2011 08:03AM

Re: Some security vulnerable

edogawaconan June 05, 2011 08:20AM

Re: Some security vulnerable

Thomas Love June 05, 2011 09:42AM

Re: Some security vulnerable

António P. P. Almeida June 05, 2011 01:42PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 171
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready