4oo4
commented
4 years ago I think it might be OK since it includes a try_files directive, though not sure if that would need to be tightened since it includes $args?
I don't have a way to test since I use nginx only as a reverse proxy to Apache, which handles php with mod_php instead of php-fpm. However if someone's using nginx+php-fpm, they can test to see if it's vulnerable with this PoC:
j0k3r
Some days ago, vulnerabilities in certain Nginx-configs have been reported: https://nvd.nist.gov/vuln/detail/CVE-2019-11043 https://bugs.php.net/bug.php?id=78599 https://de.tenable.com/blog/cve-2019-11043-vulnerability-in-php-fpm-could-lead-to-remote-code-execution-on-nginx
I am not shure, if wallabags configuration is unsafe, but it resembles in some way to described fields of problems: https://github.com/wallabag/wallabag/blob/master/docker/nginx/nginx.conf, for instance it contains: "fastcgi_split_path_info ^(.+?.php)(/.*)$;"