Welcome! Log In Create A New Profile

Advanced

php-fpm not matching path correctly, executing any file

Posted by Ben Firshman 
Hi,

I am using PHP-FPM with Nginx. PHP-FPM seems to execute any arbitrary file with a URL constructed like this:

http://basschat.co.uk/favicon.ico/.php
http://php-fpm.org/images/php-fastcgi.png/.php

Does PHP-FPM strip off trailing directories until it finds a file that exists?

We were bitten by this when a user uploaded an image with embedded code. I know we should have stopped code from running in this directory, but I was under the assumption that PHP-FPM just executes files that exist!

Here is my Nginx config:

location ~ .php$ {
include fastcgi_params;
fastcgi_index index.php;
fastcgi_pass backend;
fastcgi_connect_timeout 60;
fastcgi_send_timeout 180;
fastcgi_read_timeout 180;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_intercept_errors on;
}



Many thanks,

Ben
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 154
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready