António P. P. Almeida
December 03, 2011 03:48AM
On 3 Dez 2011 08h26 WET, nginx-forum@nginx.us wrote:

> This is very dangerous Remote File Inclusion Bug in Nginx+php-fpm
> The Nginx+php-fpm shows dangerous bug because its allowed the
> PhpShell hidden in Image to Running,
>
> if you have php script like this:
> ------------------------------------------------------------------------------------------------------------
> <?php
>
> $rfi = $_GET['call'];
> include($rfi);
> ?>
> ---------------------------------------------------------------------------------------------------------
>
> and the Php-shell formed in image(jpg/gif) can be executed to
> running with command like this
> http://www.your-domain.com/script.php?call=phpshell.jpg but it
> doesnt affect when i tried on Apache
>
> as an example you can see here:
>
> http://www.ceriwis.org/rfi.php?hal=ass.jpg <------------ using NGINX
> and phpshell executed
>
> and
>
> http://ceri.ws/rfi.php?hal=ass.jpg <---------------- using Apace and
> phpshell unable to executed
>
> someone told me i should use: 1.try_files $uri =404; or this: 2.if
> (!-f $request_filename) { return 404; } or this 3.cgi.fix_pathinfo=0
> 4.http://cnedelcu.blogspot.com/2010/05/nginx-php-via-fastcgi-important.html
> 5.Igor sysoev tips :
> http://forum.nginx.org/read.php?2,88845,88858#msg-88858 but all of
> them won't work, i still can access
> http://www.ceriwis.org/rfi.php?hal=ass.jpg and the phpshell still
> appear.

The try_files $uri =404 is not very smart since it involves making a
spurious stat() call AFAIK.

Instead you should enumerate all your php files with exact '='
locations and place something
like this at the end of your config.

location ~* \.php {
return 404;
}

Or if relying on PATH_INFO you should do something like this:

## Regular PHP processing.
location ~ ^(?<script>.+\.php)(?<path_info>.*)$ {
include fastcgi.conf;
## The fastcgi_params must be redefined from the ones
## given in fastcgi.conf. No longer standard names
## but arbitrary: named patterns in regex.
fastcgi_param SCRIPT_FILENAME $document_root$script;
fastcgi_param SCRIPT_NAME $script;
fastcgi_param PATH_INFO $path_info;
## Passing the request upstream to the FastCGI
## listener.
fastcgi_pass phpcgi;
}

Also your script is broken since you grab the value from the URI
without doing any filtering. So you're setting yourself up for being
exploited. Even with a safe configuration.

Put also:

allow_url_fopen = Off
allow_url_fopen = Off

in your php.ini

See: http://www.php.net/manual/en/function.filter-var.php

> Please give me solution. thanks

Write code that sanitizes the input appropriately. Of course using
also a safe configuration.

--- appa

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Nginx+Php-fpm Dangerous Bug

escavern December 03, 2011 03:26AM

Re: Nginx+Php-fpm Dangerous Bug

António P. P. Almeida December 03, 2011 03:48AM

Re: Nginx+Php-fpm Dangerous Bug

escavern December 03, 2011 03:58AM

Re: Nginx+Php-fpm Dangerous Bug

escavern December 03, 2011 04:05AM

Re: Nginx+Php-fpm Dangerous Bug

Edho Arief December 03, 2011 04:06AM

Re: Nginx+Php-fpm Dangerous Bug

escavern December 03, 2011 04:09AM

Re: Nginx+Php-fpm Dangerous Bug

Edho Arief December 03, 2011 04:24AM

Re: Nginx+Php-fpm Dangerous Bug

Jérôme Loyet December 03, 2011 04:32AM

Re: Nginx+Php-fpm Dangerous Bug

escavern December 03, 2011 04:48AM

Re: Nginx+Php-fpm Dangerous Bug

Oleksandr V. Typlyns'kyi December 03, 2011 05:02AM

Re: Nginx+Php-fpm Dangerous Bug

escavern December 03, 2011 05:12AM

Re: Nginx+Php-fpm Dangerous Bug

escavern December 03, 2011 05:14AM

Re: Nginx+Php-fpm Dangerous Bug

locojohn December 03, 2011 07:49AM

Re: Nginx+Php-fpm Dangerous Bug

escavern December 03, 2011 10:37AM

Re: Nginx+Php-fpm Dangerous Bug

escavern December 03, 2011 04:47AM

Re: Nginx+Php-fpm Dangerous Bug

Oleksandr V. Typlyns'kyi December 03, 2011 04:14AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 127
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready