Re: nginx 0day exploit for nginx + fastcgi PHP - Igor Sysoev - ru.sysoev.nginx

49 messages in ru.sysoev.nginxRe: nginx 0day exploit for nginx + fa...

From	Sent On	Attachments
Avleen Vig	May 21, 2010 10:06 am
Avleen Vig	May 21, 2010 10:26 am
Michael Shadle	May 21, 2010 10:27 am
Igor Sysoev	May 21, 2010 10:32 am
Igor Sysoev	May 21, 2010 10:39 am
Michael Shadle	May 21, 2010 10:47 am
Igor Sysoev	May 21, 2010 11:11 am
Ian Evans	May 21, 2010 11:25 am
Michael Shadle	May 21, 2010 11:35 am
Igor Sysoev	May 21, 2010 11:36 am
Ian M. Evans	May 21, 2010 12:03 pm
Jérôme Loyet	May 21, 2010 12:44 pm
Igor Sysoev	May 21, 2010 1:38 pm
Ian Evans	May 21, 2010 1:49 pm
brianmercer	May 21, 2010 2:02 pm
Igor Sysoev	May 21, 2010 2:17 pm
Ian Evans	May 21, 2010 2:50 pm
Cliff Wells	May 21, 2010 5:56 pm
Grzegorz Sienko	May 21, 2010 6:17 pm
Michael Shadle	May 21, 2010 6:30 pm
Cliff Wells	May 21, 2010 7:37 pm
Ian M. Evans	May 21, 2010 10:23 pm
Igor Sysoev	May 21, 2010 10:27 pm
Igor Sysoev	May 21, 2010 11:06 pm
Ian Evans	May 21, 2010 11:55 pm
Igor Sysoev	May 22, 2010 12:53 am
Ian M. Evans	May 22, 2010 2:42 am
Igor Sysoev	May 22, 2010 3:06 am
Ian M. Evans	May 22, 2010 3:16 am
Igor Sysoev	May 22, 2010 3:22 am
Ian M. Evans	May 22, 2010 3:49 am
Ian M. Evans	May 22, 2010 5:13 am
Igor Sysoev	May 22, 2010 5:23 am
Ian M. Evans	May 22, 2010 5:44 am
Ding Deng	May 22, 2010 6:23 am
Michael Shadle	May 22, 2010 12:25 pm
Ian M. Evans	May 22, 2010 3:26 pm
Weibin Yao	May 23, 2010 8:19 pm
Jérôme Loyet	May 23, 2010 11:56 pm
Weibin Yao	May 24, 2010 1:13 am
Eren Türkay	May 25, 2010 8:40 am
gdork	Jan 26, 2011 8:06 pm
Michael Shadle	Jan 26, 2011 8:13 pm
Edho P Arief	Jan 26, 2011 9:22 pm
Michael Shadle	Jan 26, 2011 10:03 pm
tuurtnt	Dec 14, 2011 3:25 pm
Kraiser	Feb 17, 2012 6:53 am
Reinis Rozitis	Feb 17, 2012 8:39 am
zsero	Oct 30, 2012 10:01 am

Subject:	Re: nginx 0day exploit for nginx + fastcgi PHP
From:	Igor Sysoev (ig...@sysoev.ru)
Date:	May 21, 2010 1:38:51 pm
List:	ru.sysoev.nginx

On Fri, May 21, 2010 at 03:04:18PM -0400, Ian M. Evans wrote:

On 5/21/2010 2:36 PM, Igor Sysoev wrote:

On Fri, May 21, 2010 at 02:26:31PM -0400, Ian Evans wrote:

Is this situation only pertaining to sites that allow uploads from forms?

Going way back to this thread (http://www.ruby-forum.com/topic/145358#645652) in '08, I needed cgi.fix-pathinfo=1 to fix problems with paths and specific extensionless files I needed run as php.

Changing cgi.fix-pathinfo=1 to 0 broke a lot of stuff.

Could you show again how URIs should be mapped to SCRIPT_FILENAME and PATH_INFO ? Modern nginx versions support named captures in regex.

This is what you came up with in the thread back in '08:

location ~ ^/(cr|news|poll|posters|photos|profile|review)(/|$) { root /usr/local/apache/htdocs; set $script_name $uri; set $path_info "";

if ($uri ~ ^(/[^/]+)(/.*)) { set $script_name $1; set $path_info $2; fastcgi_pass 127.0.0.1:10004; } ... fastcgi_param SCRIPT_FILENAME $document_root$script_name; fastcgi_param PATH_INFO $path_info; } location ~ /(cr|news|poll|posters|photos|profile|review)(/|$) { root /usr/local/apache/htdocs; set $script_name $uri; set $path_info ""; if ($uri ~ ^(.*/(?:cr|news|poll|posters|photos|profile|review))(/.*)) { set $script_name $1; set $path_info $2; fastcgi_pass 127.0.0.1:10004; } ... fastcgi_param SCRIPT_FILENAME $document_root$script_name; fastcgi_param PATH_INFO $path_info; fastcgi_pass 127.0.0.1:10004; }

The two variations were needed to handle when the extensionless php script file was in the root (example.com/NEWS/2006/1/24) or several subdirs down (example.com/tiff/2007/1/PHOTOS/16)

location ~ ^/(?<SN>cr|news|poll|posters|photos|profile|review)(?<PI>/.*$|$) { root /usr/local/apache/htdocs; fastcgi_pass 127.0.0.1:10004; fastcgi_param SCRIPT_FILENAME $document_root/$SN; fastcgi_param PATH_INFO $PI; }

location ~ ^(?<SN>.*/(cr|news|poll|posters|photos|profile|review)(?<PI>/.*$|$) { root /usr/local/apache/htdocs; fastcgi_pass 127.0.0.1:10004; fastcgi_param SCRIPT_FILENAME $document_root$SN; fastcgi_param PATH_INFO $PI; }

	Start a set with this search
	Include this search in one of my sets
	Exclude this search from one of my sets