[nginx + php-fpm] exploit (cgi.fix_pathinfo=1)

ghost commented 12 years ago

Original post http://www.80sec.com/nginx-securit.html

Simple translation:

If you set up your nginx+php-cgi using configuration like this:

location ~ \.php$ { root html; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; include fastcgi_params; }

When someone request http://address/80sec.jpg/80sec.php

uri would be /80sec.jpg/80sec.php

SCRIPT_FILENAME would be /scripts/80sec.jpg/80sec.php

if fix_pathinfo is enable(most likely is)

SCRIPT_FILENAME would become /scripts/80sec.jpg and PATH_INFO would become 80sec.php

/scripts/80sec.jpg would become the request processed by php

means someone can upload a jpg and have it executed as php.

Quick fix: set cgi.fix_pathinfo = 0 in php.ini

==OR==

try_files $uri =404;

other webservers such as lighttpd doesn't have this problem so nginx probably needs to address this.

ghost commented 12 years ago

open /Applications/MNPP/conf/nginx/common/php

find: location ~ .php$ {

after add line: try_files $uri =404;

jyr commented 12 years ago

thanks a lot , done on MNPP 0.2.0!

jyr / MNPP

[nginx + php-fpm] exploit (cgi.fix_pathinfo=1) #17

Original post http://www.80sec.com/nginx-securit.html