Welcome! Log In Create A New Profile

Re: PH Fast-CGI security pitfall

Forum List Message List New Topic Print View

B.R.

November 22, 2011 03:06PM

Your use of the if switch is enlisted in the pitfalls page of
nginxhttp://wiki.nginx.org/Pitfalls(see
*Check IF File Exists* section) :o)
It is said you should use the try one!

My message was: is using the try switch with the '=404' the right way? If
yes can someone add that to the nginx wiki?
---
*B. R.*

On Tue, Nov 22, 2011 at 14:58, Maxim Khitrov <max@mxcrypt.com> wrote:

> On Tue, Nov 22, 2011 at 2:32 PM, B.R. <reallfqq-nginx@yahoo.fr> wrote:
> > Hello,
> >
> > I juste read this article which highlight a common security pitfall to
> serve
> > PHP files.
> > I don't see any similar advice in your PHP on Fast-CGI tutorial nor your
> > pitfalls page.
> >
> > On the last page, you tell about the problem in the Pass Non-PHP
> Requests to
> > PHP section, you seem to point in the right direction in the Proxy
> > everything section, but not for the right reasons.
> > You tell people to use an 'if' to check for file existence, but the use
> of
> > 'try' is much better, a you know it since you redirect to the IfIsEvil
> page.
> >
> > The article I gave you reference to offers 5 different wys to secure the
> > server. The 'try_files $uri =404;' seems to be a nice way of preventing
> > non-PHP script from being executed, isn't it?
>
> I generally use the following template for serving PHP via FastCGI:
>
> location ~ \.php$ {
> if (!-f $request_filename) { return 404; }
>
> fastcgi_pass 127.0.0.1:8000;
> fastcgi_param SCRIPT_FILENAME $request_filename;
> ...
> }
>
> The 'if' statement causes 404 to be returned unless the requested file
> actually exists. Making sure that people can't upload files ending in
> '.php' is a separate mater, but I believe that this configuration
> takes care of the security issue described in your first link.
>
> For the given example, nginx detects that
> http://www.bambookites.com/uploads/random.gif/somefilename.php doesn't
> refer to an actual php file, so nothing is passed to the interpreter.
>
> - Max
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
PH Fast-CGI security pitfall	B.R.	November 22, 2011 02:34PM
Re: PH Fast-CGI security pitfall	Maxim Khitrov	November 22, 2011 03:00PM
Re: PH Fast-CGI security pitfall	B.R.	November 22, 2011 03:06PM
Re: PH Fast-CGI security pitfall	Roman Vasilyev	November 22, 2011 03:08PM
Re: PH Fast-CGI security pitfall	Ensiferous	November 22, 2011 03:28PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 234

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018