Welcome! Log In Create A New Profile

Re: Nginx+Php-fpm Dangerous Bug

Forum List Message List New Topic Print View

Oleksandr V. Typlyns'kyi

December 03, 2011 04:14AM

Today Dec 3, 2011 at 03:26 escavern wrote:

> This is very dangerous Remote File Inclusion Bug in Nginx+php-fpm
> The Nginx+php-fpm shows dangerous bug because its allowed the PhpShell
> hidden in Image to Running,
>
> if you have php script like this:
> ------------------------------------------------------------------------------------------------------------
> <?php
>
> $rfi = $_GET['call'];
> include($rfi);
> ?>
> ---------------------------------------------------------------------------------------------------------

Include() for files from GET? Do you really think it is good php code?
http://php.net/manual/en/function.include.php

> and the Php-shell formed in image(jpg/gif) can be executed to running
> with command like this
> http://www.your-domain.com/script.php?call=phpshell.jpg

It do exactly what you want(write) - "includes and evaluates" that file.
Use fopen()+fread(), file_get_contents() or readfile() and sanitize input from GET.

> but it doesnt affect when i tried on Apache

Most likely mod_php and php-fpm use different php.ini or even DOCUMENT_ROOT.

http://www.ceriwis.org/rfi.php?hal=info.php - display_errors=on:
Warning: include(info.php) [function.include]: failed to open stream: No such file or directory in /home/ceriorg/public_html/rfi.php on line 4
Warning: include(info.php) [function.include]: failed to open stream: No such file or directory in /home/ceriorg/public_html/rfi.php on line 4
Warning: include() [function.include]: Failed opening 'info.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/ceriorg/public_html/rfi.php on line 4

http://ceri.ws/rfi.php?hal=info.php - display_errors=off and silence.

> someone told me i should use:
> 1.try_files $uri =404; or this:
> 2.if (!-f $request_filename) { return 404; } or this
> 3.cgi.fix_pathinfo=0
> 4.http://cnedelcu.blogspot.com/2010/05/nginx-php-via-fastcgi-important.html
> 5.Igor sysoev tips :
> http://forum.nginx.org/read.php?2,88845,88858#msg-88858
> but all of them won't work, i still can access
> http://www.ceriwis.org/rfi.php?hal=ass.jpg and the phpshell still
> appear.

0. Fix php code.

--
WNGS-RIPE

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
Nginx+Php-fpm Dangerous Bug	escavern	December 03, 2011 03:26AM
Re: Nginx+Php-fpm Dangerous Bug	António P. P. Almeida	December 03, 2011 03:48AM
Re: Nginx+Php-fpm Dangerous Bug	escavern	December 03, 2011 03:58AM
Re: Nginx+Php-fpm Dangerous Bug	escavern	December 03, 2011 04:05AM
Re: Nginx+Php-fpm Dangerous Bug	Edho Arief	December 03, 2011 04:06AM
Re: Nginx+Php-fpm Dangerous Bug	escavern	December 03, 2011 04:09AM
Re: Nginx+Php-fpm Dangerous Bug	Edho Arief	December 03, 2011 04:24AM
Re: Nginx+Php-fpm Dangerous Bug	Jérôme Loyet	December 03, 2011 04:32AM
Re: Nginx+Php-fpm Dangerous Bug	escavern	December 03, 2011 04:48AM
Re: Nginx+Php-fpm Dangerous Bug	Oleksandr V. Typlyns'kyi	December 03, 2011 05:02AM
Re: Nginx+Php-fpm Dangerous Bug	escavern	December 03, 2011 05:12AM
Re: Nginx+Php-fpm Dangerous Bug	escavern	December 03, 2011 05:14AM
Re: Nginx+Php-fpm Dangerous Bug	locojohn	December 03, 2011 07:49AM
Re: Nginx+Php-fpm Dangerous Bug	escavern	December 03, 2011 10:37AM
Re: Nginx+Php-fpm Dangerous Bug	escavern	December 03, 2011 04:47AM
Re: Nginx+Php-fpm Dangerous Bug	Oleksandr V. Typlyns'kyi	December 03, 2011 04:14AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 153

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018