Welcome! Log In Create A New Profile

Advanced

Re: Nginx+Php-fpm Dangerous Bug

Oleksandr V. Typlyns'kyi
December 03, 2011 04:14AM
Today Dec 3, 2011 at 03:26 escavern wrote:

> This is very dangerous Remote File Inclusion Bug in Nginx+php-fpm
> The Nginx+php-fpm shows dangerous bug because its allowed the PhpShell
> hidden in Image to Running,
>
> if you have php script like this:
> ------------------------------------------------------------------------------------------------------------
> <?php
>
> $rfi = $_GET['call'];
> include($rfi);
> ?>
> ---------------------------------------------------------------------------------------------------------

Include() for files from GET? Do you really think it is good php code?
http://php.net/manual/en/function.include.php

> and the Php-shell formed in image(jpg/gif) can be executed to running
> with command like this
> http://www.your-domain.com/script.php?call=phpshell.jpg

It do exactly what you want(write) - "includes and evaluates" that file.
Use fopen()+fread(), file_get_contents() or readfile() and sanitize input from GET.

> but it doesnt affect when i tried on Apache

Most likely mod_php and php-fpm use different php.ini or even DOCUMENT_ROOT.

http://www.ceriwis.org/rfi.php?hal=info.php - display_errors=on:
Warning: include(info.php) [function.include]: failed to open stream: No such file or directory in /home/ceriorg/public_html/rfi.php on line 4
Warning: include(info.php) [function.include]: failed to open stream: No such file or directory in /home/ceriorg/public_html/rfi.php on line 4
Warning: include() [function.include]: Failed opening 'info.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/ceriorg/public_html/rfi.php on line 4

http://ceri.ws/rfi.php?hal=info.php - display_errors=off and silence.

> someone told me i should use:
> 1.try_files $uri =404; or this:
> 2.if (!-f $request_filename) { return 404; } or this
> 3.cgi.fix_pathinfo=0
> 4.http://cnedelcu.blogspot.com/2010/05/nginx-php-via-fastcgi-important.html
> 5.Igor sysoev tips :
> http://forum.nginx.org/read.php?2,88845,88858#msg-88858
> but all of them won't work, i still can access
> http://www.ceriwis.org/rfi.php?hal=ass.jpg and the phpshell still
> appear.

0. Fix php code.

--
WNGS-RIPE

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Nginx+Php-fpm Dangerous Bug

escavern December 03, 2011 03:26AM

Re: Nginx+Php-fpm Dangerous Bug

António P. P. Almeida December 03, 2011 03:48AM

Re: Nginx+Php-fpm Dangerous Bug

escavern December 03, 2011 03:58AM

Re: Nginx+Php-fpm Dangerous Bug

escavern December 03, 2011 04:05AM

Re: Nginx+Php-fpm Dangerous Bug

Edho Arief December 03, 2011 04:06AM

Re: Nginx+Php-fpm Dangerous Bug

escavern December 03, 2011 04:09AM

Re: Nginx+Php-fpm Dangerous Bug

Edho Arief December 03, 2011 04:24AM

Re: Nginx+Php-fpm Dangerous Bug

Jérôme Loyet December 03, 2011 04:32AM

Re: Nginx+Php-fpm Dangerous Bug

escavern December 03, 2011 04:48AM

Re: Nginx+Php-fpm Dangerous Bug

Oleksandr V. Typlyns'kyi December 03, 2011 05:02AM

Re: Nginx+Php-fpm Dangerous Bug

escavern December 03, 2011 05:12AM

Re: Nginx+Php-fpm Dangerous Bug

escavern December 03, 2011 05:14AM

Re: Nginx+Php-fpm Dangerous Bug

locojohn December 03, 2011 07:49AM

Re: Nginx+Php-fpm Dangerous Bug

escavern December 03, 2011 10:37AM

Re: Nginx+Php-fpm Dangerous Bug

escavern December 03, 2011 04:47AM

Re: Nginx+Php-fpm Dangerous Bug

Oleksandr V. Typlyns'kyi December 03, 2011 04:14AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 70
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready