Welcome! Log In Create A New Profile

Advanced

Re: nginx 0day exploit for nginx + fastcgi PHP

Jérôme Loyet
May 21, 2010 03:50PM
2010/5/21 Igor Sysoev <igor@sysoev.ru>:
> On Fri, May 21, 2010 at 02:26:31PM -0400, Ian Evans wrote:
>
>> Is this situation only pertaining to sites that allow uploads from forms?
>>
>> Going way back to this thread
>> (http://www.ruby-forum.com/topic/145358#645652) in '08, I needed
>> cgi.fix-pathinfo=1 to fix problems with paths and specific extensionless
>> files I needed run as php.
>>
>> Changing cgi.fix-pathinfo=1 to 0 broke a lot of stuff.
>
> Could you show again how URIs should be mapped to SCRIPT_FILENAME
> and PATH_INFO ? Modern nginx versions support named captures in regex.
>

hi igor,

this a very interesting situation :) And i could be a real security
hole on some configuration.

Let say you have the default configuration (except for the
SCRIPT_FILENAME which has been adapted for my local conf where the
fastcgi server is running on local and uses the same document root as
nginx)

location ~ \.php$ {
root html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $request_filename;
include fastcgi_params;
}


Let say the request is
http://mydomain/foo/test.php/virtual/path/to/somewhere.php

the fastcgi request sends the following fastcgi parameters
SCRIPT_FILENAME is set to
/nginx/prefix/html/foo/test.php/virtual/path/to/somewhere.php
PATH_INFO is not set

with fix_pathinfo=1
SCRIPT_FILENAME is transformed to /nginx/prefix/html/foo/test.php
PATH_INFO is set to /virtual/path/to/somewhere.php
in this case, PHP could parse and execute an unwanted file and a
security hole can exists.

with fix_pathinfo=1
SCRIPT_FILENAME is not changed and still
/nginx/prefix/html/foo/test.php/virtual/path/to/somewhere.php
PATH_INFO is not changed and remains unset
in this case, PHP tries to execute the file which really corresponds
to the request which will certenely not exist.

In both case, if the (updated) SCRIPT_FILENAME corresponds to an
existing file on the filesystem, it's interpreted by PHP.

Is it a PHP bug ? I don't really know. fix_pathinfo is a feature which
could be usefull on some case (otherwise why would have it been done
?).
Is it a nginx bug ? I don't think so. It's how nginx works. The guy
who makes the conf should understand what he's doing. But .. see my
following question

Why nginx forwards the request to the fastcgi server if the
SCRIPT_FILENAME does not exists ?
1- if the fastcgi server is not local, the local machine does not have
the script file on its filesystem --> nginx can't check if the file
exists. It would say NO instead of YES.
2- if the fastcgi server is local but running with a user which
doesn't have rights to search for the script filename --> nginx can't
check if the file exists. It would say NO instead of YES
3- if the fastcgi server is local and have access to the file -->
nginx can return 404 without sending the request to the fastcgi
server. This is usefull in this security case, but it's also a
performance enhancement because the fastcgi server won't deal with non
existing files and 404 will be returned quicker and less resources
will be used

Igor, maybe the default conf file is not that good about PHP through fastcgi.
here is an idea:
--- nginx.conf.orig 2010-05-21 21:31:45.000000000 +0200
+++ nginx.conf 2010-05-21 21:36:00.000000000 +0200
@@ -64,9 +64,12 @@
#
#location ~ \.php$ {
# root html;
+ # if (!-e $request_filename) {
+ # return 404;
+ # }
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
- # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
+ # fastcgi_param SCRIPT_FILENAME $request_filename;
# include fastcgi_params;
#}


or maybe just add a BIG warning to disable fix.path_info and use
fastcgi_split_path_info to deals with those kind of URL

On my side, I'll check if the fix_pathinfo is really usefull on
php-fpm. If not, I'll try to remove it.

hope this help!

++ Jerome

_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
Subject Author Posted

nginx 0day exploit for nginx + fastcgi PHP

Avleen Vig May 21, 2010 01:14PM

Re: nginx 0day exploit for nginx + fastcgi PHP

Avleen Vig May 21, 2010 01:30PM

Re: nginx 0day exploit for nginx + fastcgi PHP

Eren Türkay May 25, 2010 11:44AM

Re: nginx 0day exploit for nginx + fastcgi PHP

mike May 21, 2010 01:30PM

Re: nginx 0day exploit for nginx + fastcgi PHP

Igor Sysoev May 21, 2010 01:36PM

Re: nginx 0day exploit for nginx + fastcgi PHP

Igor Sysoev May 21, 2010 01:44PM

Re: nginx 0day exploit for nginx + fastcgi PHP

mike May 21, 2010 01:52PM

Re: nginx 0day exploit for nginx + fastcgi PHP

Igor Sysoev May 21, 2010 02:16PM

Re: nginx 0day exploit for nginx + fastcgi PHP

Ian Evans May 21, 2010 02:30PM

Re: nginx 0day exploit for nginx + fastcgi PHP

mike May 21, 2010 02:40PM

Re: nginx 0day exploit for nginx + fastcgi PHP

Igor Sysoev May 21, 2010 02:40PM

Re: nginx 0day exploit for nginx + fastcgi PHP

Ian M. Evans May 21, 2010 03:10PM

Re: nginx 0day exploit for nginx + fastcgi PHP

Igor Sysoev May 21, 2010 04:46PM

Re: nginx 0day exploit for nginx + fastcgi PHP

Ian Evans May 21, 2010 04:58PM

Re: nginx 0day exploit for nginx + fastcgi PHP

Igor Sysoev May 21, 2010 05:20PM

Re: nginx 0day exploit for nginx + fastcgi PHP

Ian Evans May 21, 2010 05:54PM

Re: nginx 0day exploit for nginx + fastcgi PHP

Igor Sysoev May 22, 2010 02:10AM

Re: nginx 0day exploit for nginx + fastcgi PHP

Ian M. Evans May 22, 2010 01:28AM

Re: nginx 0day exploit for nginx + fastcgi PHP

Igor Sysoev May 22, 2010 01:32AM

Re: nginx 0day exploit for nginx + fastcgi PHP

Ian Evans May 22, 2010 03:00AM

Re: nginx 0day exploit for nginx + fastcgi PHP

Igor Sysoev May 22, 2010 03:58AM

Re: nginx 0day exploit for nginx + fastcgi PHP

Ian M. Evans May 22, 2010 05:46AM

Re: nginx 0day exploit for nginx + fastcgi PHP

Igor Sysoev May 22, 2010 06:12AM

Re: nginx 0day exploit for nginx + fastcgi PHP

Ian M. Evans May 22, 2010 06:22AM

Re: nginx 0day exploit for nginx + fastcgi PHP

Igor Sysoev May 22, 2010 06:26AM

Re: nginx 0day exploit for nginx + fastcgi PHP

Ian M. Evans May 22, 2010 06:56AM

Re: nginx 0day exploit for nginx + fastcgi PHP

Ian M. Evans May 22, 2010 08:22AM

Re: nginx 0day exploit for nginx + fastcgi PHP

Igor Sysoev May 22, 2010 08:30AM

Re: nginx 0day exploit for nginx + fastcgi PHP

Ian M. Evans May 22, 2010 08:48AM

Re: nginx 0day exploit for nginx + fastcgi PHP

Ian M. Evans May 22, 2010 06:30PM

Re: nginx 0day exploit for nginx + fastcgi PHP

Jérôme Loyet May 21, 2010 03:50PM

Re: nginx 0day exploit for nginx + fastcgi PHP

Weibin Yao May 23, 2010 11:24PM

Re: nginx 0day exploit for nginx + fastcgi PHP

Jérôme Loyet May 24, 2010 03:00AM

Re: nginx 0day exploit for nginx + fastcgi PHP

Weibin Yao May 24, 2010 04:20AM

Re: nginx 0day exploit for nginx + fastcgi PHP

Cliff Wells May 21, 2010 09:00PM

Re: nginx 0day exploit for nginx + fastcgi PHP

Grzegorz Sienko May 21, 2010 09:24PM

Re: nginx 0day exploit for nginx + fastcgi PHP

mike May 21, 2010 09:34PM

Re: nginx 0day exploit for nginx + fastcgi PHP

gdork January 26, 2011 11:07PM

Re: nginx 0day exploit for nginx + fastcgi PHP

mike January 26, 2011 11:16PM

Re: nginx 0day exploit for nginx + fastcgi PHP

edogawaconan January 27, 2011 12:28AM

Re: nginx 0day exploit for nginx + fastcgi PHP

mike January 27, 2011 01:08AM

Re: nginx 0day exploit for nginx + fastcgi PHP

Cliff Wells May 21, 2010 10:42PM

Re: nginx 0day exploit for nginx + fastcgi PHP

Ding Deng May 22, 2010 09:28AM

Re: nginx 0day exploit for nginx + fastcgi PHP

mike May 22, 2010 03:30PM

Re: nginx 0day exploit for nginx + fastcgi PHP

brianmercer May 21, 2010 05:03PM

Re: nginx 0day exploit for nginx + fastcgi PHP

tuurtnt December 14, 2011 06:26PM

Re: nginx 0day exploit for nginx + fastcgi PHP

Kraiser February 17, 2012 09:53AM

Re: nginx 0day exploit for nginx + fastcgi PHP

Reinis Rozitis February 17, 2012 11:42AM

Re: nginx 0day exploit for nginx + fastcgi PHP

zsero October 30, 2012 01:01PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 268
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready