On 5 June 2011 12:01, Kraiser <nginx-forum@nginx.us> wrote:
> What do you guys think about implement this into nginx just like it is
> in apache?
> if ( $fastcgi_script_name ~ \..*\/.*php ) {
> return 403;
> }
> because without that some servers which allows to upload images are
> vulnerable to external exploits.
>

They're vulnerable because of bad site design and configuration
(although I do think nginx's location parsing logic makes it
uncomfortably easy to produce insecure configurations). Why not
eliminate the vulnerability instead of hardening against it with more
configuration? The .php match should not be attempted in any untrusted
user-upload directory -- use sub-locations.

Thomas

_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx