Security issue on Nginx, PHP & fastcgi_split_path_info

security nginx

You're referring to an issue where an attacker can upload arbitrary code to an nginx web server and then trick the server into executing it as PHP. (No CVE exists for this issue as it is technically a misconfiguration rather than a vulnerability.)

Any of the methods you listed can be used to remediate the issue.

Another, simpler way of remediating this issue is to add the following into your PHP location:

try_files $uri =404;

Though this only works if nginx and PHP are running on the same server, which is almost always true.

The recommendation, of course, is that you clearly document what you're doing and why.


In recent versions of php, this is no longer an issue:

From the file /etc/php-fpm.d/www.conf: 

; Limits the extensions of the main script FPM will allow to parse. This can
; prevent configuration mistakes on the web server side. You should only limit
; FPM to .php extensions to prevent malicious users to use other extensions to
; exectute php code.
; Note: set an empty value to allow all extensions.
; Default Value: .php
;security.limit_extensions = .php .php3 .php4 .php5

Related

Is Tomcat vulnerable to the Apache DoS vulnerability in CVE-2011-3192?
Redirect browser based on non-negotiable SSL/TLS protocol or cipher
(Ubuntu) setuid bash doesn't work
how to configure HAProxy as a reverse proxy?
Postfix sender_dependent_relayhost_maps: do not relay a specific address
What is the secure way to isolate ftp server users on unix?
How can I verify successful replication of two domain controllers
View Remote Desktop access logs on Win 2003
sftp gives permission denied only when chrooted?
How to set up a Mercurial repo like BitBucket on a Linux machine?
opendkim-testkey: key not secure
Boot failure with root on MD (RAID1) + LVM: udev event timing