49 messages in ru.sysoev.nginxRe: nginx 0day exploit for nginx + fa...| From | Sent On | Attachments |
|---|---|---|
| Avleen Vig | May 21, 2010 10:06 am | |
| Avleen Vig | May 21, 2010 10:26 am | |
| Michael Shadle | May 21, 2010 10:27 am | |
| Igor Sysoev | May 21, 2010 10:32 am | |
| Igor Sysoev | May 21, 2010 10:39 am | |
| Michael Shadle | May 21, 2010 10:47 am | |
| Igor Sysoev | May 21, 2010 11:11 am | |
| Ian Evans | May 21, 2010 11:25 am | |
| Michael Shadle | May 21, 2010 11:35 am | |
| Igor Sysoev | May 21, 2010 11:36 am | |
| Ian M. Evans | May 21, 2010 12:03 pm | |
| Jérôme Loyet | May 21, 2010 12:44 pm | |
| Igor Sysoev | May 21, 2010 1:38 pm | |
| Ian Evans | May 21, 2010 1:49 pm | |
| brianmercer | May 21, 2010 2:02 pm | |
| Igor Sysoev | May 21, 2010 2:17 pm | |
| Ian Evans | May 21, 2010 2:50 pm | |
| Cliff Wells | May 21, 2010 5:56 pm | |
| Grzegorz Sienko | May 21, 2010 6:17 pm | |
| Michael Shadle | May 21, 2010 6:30 pm | |
| Cliff Wells | May 21, 2010 7:37 pm | |
| Ian M. Evans | May 21, 2010 10:23 pm | |
| Igor Sysoev | May 21, 2010 10:27 pm | |
| Igor Sysoev | May 21, 2010 11:06 pm | |
| Ian Evans | May 21, 2010 11:55 pm | |
| Igor Sysoev | May 22, 2010 12:53 am | |
| Ian M. Evans | May 22, 2010 2:42 am | |
| Igor Sysoev | May 22, 2010 3:06 am | |
| Ian M. Evans | May 22, 2010 3:16 am | |
| Igor Sysoev | May 22, 2010 3:22 am | |
| Ian M. Evans | May 22, 2010 3:49 am | |
| Ian M. Evans | May 22, 2010 5:13 am | |
| Igor Sysoev | May 22, 2010 5:23 am | |
| Ian M. Evans | May 22, 2010 5:44 am | |
| Ding Deng | May 22, 2010 6:23 am | |
| Michael Shadle | May 22, 2010 12:25 pm | |
| Ian M. Evans | May 22, 2010 3:26 pm | |
| Weibin Yao | May 23, 2010 8:19 pm | |
| Jérôme Loyet | May 23, 2010 11:56 pm | |
| Weibin Yao | May 24, 2010 1:13 am | |
| Eren Türkay | May 25, 2010 8:40 am | |
| gdork | Jan 26, 2011 8:06 pm | |
| Michael Shadle | Jan 26, 2011 8:13 pm | |
| Edho P Arief | Jan 26, 2011 9:22 pm | |
| Michael Shadle | Jan 26, 2011 10:03 pm | |
| tuurtnt | Dec 14, 2011 3:25 pm | |
| Kraiser | Feb 17, 2012 6:53 am | |
| Reinis Rozitis | Feb 17, 2012 8:39 am | |
| zsero | Oct 30, 2012 10:01 am |
| Subject: | Re: nginx 0day exploit for nginx + fastcgi PHP | |
|---|---|---|
| From: | Michael Shadle (mike...@gmail.com) | |
| Date: | May 21, 2010 10:27:36 am | |
| List: | ru.sysoev.nginx | |
Question is, what functionality is lost by changing
cgi.fix_pathinfo = 0
Looks like the other workaround is something like this:
if ( $fastcgi_script_name ~ \..*\/.*php ) { return 403; }
Which i basically saying what exactly? If there is a period and slash somewhere prior to the last "filename" to return a 403?
Ideally while this is being thought out it would be cool to fix the common "no input file specified" issue that a lot of people have - have it return a 404 instead. Not sure if it's a simple php.ini change (perhaps the path info?) or change fastcgi_param REDIRECT_STATUS 200?
On Fri, May 21, 2010 at 10:07 AM, Avleen Vig <avl...@gmail.com> wrote:
This is currently doing the rounds, so I thought it pertinent to post it here too.
http://www.webhostingtalk.com/showthread.php?p=6807475#post6807475
I don't know what nginx should do to fix this, but there are two workarounds given. If you allow file uploads (especially things like images) and use PHP FastCGI in the back end, you should take a loot at this now. The exploit allows for any arbitrary file which is uploaded, to be executed as PHP.
_______________________________________________ nginx mailing list ngi...@nginx.org http://nginx.org/mailman/listinfo/nginx
_______________________________________________ nginx mailing list ngi...@nginx.org http://nginx.org/mailman/listinfo/nginx