40 of my servers were compromised because of this issue and I just found out about it...aarrrghhhh.
There are php cmd shell trojans everywhere now!
I was able to easily replicate this issue, and the cgi.fix_pathinfo=0 fix did NOT work on my systems.
Adding:
location ~ \..*/.*\.php$ {
return 403;
}
Did solve the issue however.
It is VERY common for image hosting sites to allow file uploads to the web directory.
Any can upload a php file as an image and immediately execute it.
nginx should NOT allow the fastcgi backend to execute code in a file that does not even exist.
/blah/blah/virusimage.jpg/hello.php should never execute the hidden php code inside the file virusimage.jpg
I wonder how many sites have been trojaned because of this. Ive been searching vulnerability databases for days and never came across this nginx issue. :(