Welcome! Log In Create A New Profile

Advanced

Re: Help! Nginx Vulnerable Remote file inclusion

Tim Mensch
December 03, 2011 12:12AM
Check out this thread and see if it answers your question:

http://mailman.nginx.org/pipermail/nginx/2011-November/030503.html

It's not precisely the same, since you have rfi.php?hal=ass.jpg and not
rfi.php/ass.jpg, but it feels like the same bug, and you're only a
rewrite rule away from having exactly the problem command line.

The short answer is to add this:

try_files $uri =404;

or this:

if (!-f $request_filename) { return 404; }

to your PHP configuration in the PHP fastcgi configuration block.

Tim

On 12/2/2011 9:49 PM, escavern wrote:
> the image file is JPEG
> you can see the image file here:
>
>
> http://www.ceriwis.org/ass.jpg
>
> http://ceri.ws/ass.jpg
>
> Posted at Nginx Forum: http://forum.nginx.org/read.php?2,219523,219524#msg-219524
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Help! Nginx Vulnerable Remote file inclusion

escavern December 02, 2011 11:48PM

Re: Help! Nginx Vulnerable Remote file inclusion

escavern December 02, 2011 11:49PM

Re: Help! Nginx Vulnerable Remote file inclusion

Tim Mensch December 03, 2011 12:12AM

Re: Help! Nginx Vulnerable Remote file inclusion

escavern December 03, 2011 12:47AM

Re: Help! Nginx Vulnerable Remote file inclusion

Tim Mensch December 03, 2011 12:52AM

Re: Help! Nginx Vulnerable Remote file inclusion

escavern December 03, 2011 01:36AM

Re: Help! Nginx Vulnerable Remote file inclusion

Mark Alan December 03, 2011 04:44AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 92
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready