On 5 Jun 2011 14h40 WEST, tomlove@gmail.com wrote:

> On 5 June 2011 12:01, Kraiser <nginx-forum@nginx.us> wrote:
>> What do you guys think about implement this into nginx just like it
>> is in apache? if ( $fastcgi_script_name ~ \..*\/.*php ) { return
>> 403; } because without that some servers which allows to upload
>> images are vulnerable to external exploits.
>>
>
> They're vulnerable because of bad site design and configuration
> (although I do think nginx's location parsing logic makes it
> uncomfortably easy to produce insecure configurations). Why not
> eliminate the vulnerability instead of hardening against it with
> more configuration? The .php match should not be attempted in any
> untrusted user-upload directory -- use sub-locations.

I agree. Either nested locations and/or enumeration of all PHP enabled
locations is the way to go. The above is just a stopgap for a proper
meaning secure, configuration.

--- appa


_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx