Package: nginx
Hi. Few days ago, I remarked a security issue on my own nginx server via misstyping the url of a file (http://www.davromaniak.eu/vrac/helpdesk_set_on_fire.png/index.php [1] instead of http://www.davromaniak.eu/vrac/helpdesk_set_on_fire.png [2]). The most strange part is that fastcgi tried to read and execute the png file as it was a regular PHP script. I tried to search around the web for this, and I found http://cnedelcu.blogspot.com/2010/05/nginx-php-via-fastcgi-important.html [3] To summarize : - Create a basic php script called photo.php (it could contain a simple phpinfo(), but imagine the results with other content) - Rename it to photo.jpg - Then try to access to http://yourwebsite.tld/photo.jpg/foobar.php [4] : Without protection, the phpinfo() is dislayed. On CMS, forums and blogs engines with uploading file enabled, which mostly checks the file extension, it could be a big problem. So I opted for the second solution on my server, and it seems to work and not being too resource-intensive. Because of this, I think we can edit the sample conf for the virtualhost using this block in order to inform the user about this issue. ---- # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # # Security fix, see bug #XXXXX for more information # #location ~ ..*/.*.php$ { # return 403; #} # #location ~ .php$ { # fastcgi_pass 127.0.0.1:9000; # fastcgi_index index.php; # include fastcgi_params; #} ---- I tested it with last versions of drupal, dotclear and wordpress, it works and the loading time is not affected. Thanks. -- Cyril "Davromaniak" Lavier Links: ------ [1] http://www.davromaniak.eu/vrac/helpdesk_set_on_fire.png/index.php [2] http://www.davromaniak.eu/vrac/helpdesk_set_on_fire.png [3] http://cnedelcu.blogspot.com/2010/05/nginx-php-via-fastcgi-important.html [4] http://yourwebsite.tld/photo.jpg/foobar.php
