Welcome! Log In Create A New Profile

Re: nginx 0day exploit for nginx + fastcgi PHP

Forum List Message List New Topic Print View

brianmercer

May 21, 2010 05:03PM

Registered: 15 years ago
Posts: 65

Avleen Vig Wrote:
-------------------------------------------------------
> This is currently doing the rounds, so I thought
> it pertinent to post
> it here too.
>
> http://www.webhostingtalk.com/showthread.php?p=680
> 7475#post6807475
>
> I don't know what nginx should do to fix this, but
> there are two
> workarounds given.
> If you allow file uploads (especially things like
> images) and use PHP
> FastCGI in the back end, you should take a loot at
> this now.
> The exploit allows for any arbitrary file which is
> uploaded, to be
> executed as PHP.
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://nginx.org/mailman/listinfo/nginx

I can confirm this exploit worked with my site using nginx 0.8.36 and php-fpm 5.3.2 svn. This is on my password protected ssl admin subdomain where I use:

location ~ \.php$ {
include /etc/nginx/fastcgi_params;
fastcgi_index index.php;
fastcgi_param HTTPS on;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass php;
}

I copied my phpinfo.php to be badfile.jpg and also badfile. Then I could access either:

https://admin.mysite.com/badfile/foo.php or
https://admin.mysite.com/badfile.jpg/bar.php

and it would run it. On my drupal sites I'm more careful and use:

location = /index.php {
...
fastcgi_param SCRIPT_FILENAME /var/www/$host/drupal/index.php;
...
}

only (there's actually 5 php files in drupal, but only index.php is a must), so the vulnerability doesn't work. But some things (e.g. wordpress) use tons of php files so it'd be a pain.

I tried changing to:

cgi.fix_pathinfo=0

in my php.ini file and that solved the problem. This also seemed to work fine:

location ~ \.php$ {
try_files $uri =404;
include /etc/nginx/fastcgi_params;
fastcgi_index index.php;
fastcgi_param HTTPS on;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass php;
}

since it checks for the existence of the file at that path. Even if I put in an actual existing file like:

https://admin.example.com/test.jpg/apc.php

I still get a 404. So folks should try adding:

try_files $uri =404;

to their php blocks and see if that solves the problem for them as well.

Reply Quote

RSS

Subject	Author	Posted
nginx 0day exploit for nginx + fastcgi PHP	Avleen Vig	May 21, 2010 01:14PM
Re: nginx 0day exploit for nginx + fastcgi PHP	Avleen Vig	May 21, 2010 01:30PM
Re: nginx 0day exploit for nginx + fastcgi PHP	Eren Türkay	May 25, 2010 11:44AM
Re: nginx 0day exploit for nginx + fastcgi PHP	mike	May 21, 2010 01:30PM
Re: nginx 0day exploit for nginx + fastcgi PHP	Igor Sysoev	May 21, 2010 01:36PM
Re: nginx 0day exploit for nginx + fastcgi PHP	Igor Sysoev	May 21, 2010 01:44PM
Re: nginx 0day exploit for nginx + fastcgi PHP	mike	May 21, 2010 01:52PM
Re: nginx 0day exploit for nginx + fastcgi PHP	Igor Sysoev	May 21, 2010 02:16PM
Re: nginx 0day exploit for nginx + fastcgi PHP	Ian Evans	May 21, 2010 02:30PM
Re: nginx 0day exploit for nginx + fastcgi PHP	mike	May 21, 2010 02:40PM
Re: nginx 0day exploit for nginx + fastcgi PHP	Igor Sysoev	May 21, 2010 02:40PM
Re: nginx 0day exploit for nginx + fastcgi PHP	Ian M. Evans	May 21, 2010 03:10PM
Re: nginx 0day exploit for nginx + fastcgi PHP	Igor Sysoev	May 21, 2010 04:46PM
Re: nginx 0day exploit for nginx + fastcgi PHP	Ian Evans	May 21, 2010 04:58PM
Re: nginx 0day exploit for nginx + fastcgi PHP	Igor Sysoev	May 21, 2010 05:20PM
Re: nginx 0day exploit for nginx + fastcgi PHP	Ian Evans	May 21, 2010 05:54PM
Re: nginx 0day exploit for nginx + fastcgi PHP	Igor Sysoev	May 22, 2010 02:10AM
Re: nginx 0day exploit for nginx + fastcgi PHP	Ian M. Evans	May 22, 2010 01:28AM
Re: nginx 0day exploit for nginx + fastcgi PHP	Igor Sysoev	May 22, 2010 01:32AM
Re: nginx 0day exploit for nginx + fastcgi PHP	Ian Evans	May 22, 2010 03:00AM
Re: nginx 0day exploit for nginx + fastcgi PHP	Igor Sysoev	May 22, 2010 03:58AM
Re: nginx 0day exploit for nginx + fastcgi PHP	Ian M. Evans	May 22, 2010 05:46AM
Re: nginx 0day exploit for nginx + fastcgi PHP	Igor Sysoev	May 22, 2010 06:12AM
Re: nginx 0day exploit for nginx + fastcgi PHP	Ian M. Evans	May 22, 2010 06:22AM
Re: nginx 0day exploit for nginx + fastcgi PHP	Igor Sysoev	May 22, 2010 06:26AM
Re: nginx 0day exploit for nginx + fastcgi PHP	Ian M. Evans	May 22, 2010 06:56AM
Re: nginx 0day exploit for nginx + fastcgi PHP	Ian M. Evans	May 22, 2010 08:22AM
Re: nginx 0day exploit for nginx + fastcgi PHP	Igor Sysoev	May 22, 2010 08:30AM
Re: nginx 0day exploit for nginx + fastcgi PHP	Ian M. Evans	May 22, 2010 08:48AM
Re: nginx 0day exploit for nginx + fastcgi PHP	Ian M. Evans	May 22, 2010 06:30PM
Re: nginx 0day exploit for nginx + fastcgi PHP	Jérôme Loyet	May 21, 2010 03:50PM
Re: nginx 0day exploit for nginx + fastcgi PHP	Weibin Yao	May 23, 2010 11:24PM
Re: nginx 0day exploit for nginx + fastcgi PHP	Jérôme Loyet	May 24, 2010 03:00AM
Re: nginx 0day exploit for nginx + fastcgi PHP	Weibin Yao	May 24, 2010 04:20AM
Re: nginx 0day exploit for nginx + fastcgi PHP	Cliff Wells	May 21, 2010 09:00PM
Re: nginx 0day exploit for nginx + fastcgi PHP	Grzegorz Sienko	May 21, 2010 09:24PM
Re: nginx 0day exploit for nginx + fastcgi PHP	mike	May 21, 2010 09:34PM
Re: nginx 0day exploit for nginx + fastcgi PHP	gdork	January 26, 2011 11:07PM
Re: nginx 0day exploit for nginx + fastcgi PHP	mike	January 26, 2011 11:16PM
Re: nginx 0day exploit for nginx + fastcgi PHP	edogawaconan	January 27, 2011 12:28AM
Re: nginx 0day exploit for nginx + fastcgi PHP	mike	January 27, 2011 01:08AM
Re: nginx 0day exploit for nginx + fastcgi PHP	Cliff Wells	May 21, 2010 10:42PM
Re: nginx 0day exploit for nginx + fastcgi PHP	Ding Deng	May 22, 2010 09:28AM
Re: nginx 0day exploit for nginx + fastcgi PHP	mike	May 22, 2010 03:30PM
Re: nginx 0day exploit for nginx + fastcgi PHP	brianmercer	May 21, 2010 05:03PM
Re: nginx 0day exploit for nginx + fastcgi PHP	tuurtnt	December 14, 2011 06:26PM
Re: nginx 0day exploit for nginx + fastcgi PHP	Kraiser	February 17, 2012 09:53AM
Re: nginx 0day exploit for nginx + fastcgi PHP	Reinis Rozitis	February 17, 2012 11:42AM
Re: nginx 0day exploit for nginx + fastcgi PHP	zsero	October 30, 2012 01:01PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 114

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 500 on July 15, 2024