49 messages in ru.sysoev.nginxRe: nginx 0day exploit for nginx + fa...| From | Sent On | Attachments |
|---|---|---|
| Avleen Vig | May 21, 2010 10:06 am | |
| Avleen Vig | May 21, 2010 10:26 am | |
| Michael Shadle | May 21, 2010 10:27 am | |
| Igor Sysoev | May 21, 2010 10:32 am | |
| Igor Sysoev | May 21, 2010 10:39 am | |
| Michael Shadle | May 21, 2010 10:47 am | |
| Igor Sysoev | May 21, 2010 11:11 am | |
| Ian Evans | May 21, 2010 11:25 am | |
| Michael Shadle | May 21, 2010 11:35 am | |
| Igor Sysoev | May 21, 2010 11:36 am | |
| Ian M. Evans | May 21, 2010 12:03 pm | |
| Jérôme Loyet | May 21, 2010 12:44 pm | |
| Igor Sysoev | May 21, 2010 1:38 pm | |
| Ian Evans | May 21, 2010 1:49 pm | |
| brianmercer | May 21, 2010 2:02 pm | |
| Igor Sysoev | May 21, 2010 2:17 pm | |
| Ian Evans | May 21, 2010 2:50 pm | |
| Cliff Wells | May 21, 2010 5:56 pm | |
| Grzegorz Sienko | May 21, 2010 6:17 pm | |
| Michael Shadle | May 21, 2010 6:30 pm | |
| Cliff Wells | May 21, 2010 7:37 pm | |
| Ian M. Evans | May 21, 2010 10:23 pm | |
| Igor Sysoev | May 21, 2010 10:27 pm | |
| Igor Sysoev | May 21, 2010 11:06 pm | |
| Ian Evans | May 21, 2010 11:55 pm | |
| Igor Sysoev | May 22, 2010 12:53 am | |
| Ian M. Evans | May 22, 2010 2:42 am | |
| Igor Sysoev | May 22, 2010 3:06 am | |
| Ian M. Evans | May 22, 2010 3:16 am | |
| Igor Sysoev | May 22, 2010 3:22 am | |
| Ian M. Evans | May 22, 2010 3:49 am | |
| Ian M. Evans | May 22, 2010 5:13 am | |
| Igor Sysoev | May 22, 2010 5:23 am | |
| Ian M. Evans | May 22, 2010 5:44 am | |
| Ding Deng | May 22, 2010 6:23 am | |
| Michael Shadle | May 22, 2010 12:25 pm | |
| Ian M. Evans | May 22, 2010 3:26 pm | |
| Weibin Yao | May 23, 2010 8:19 pm | |
| Jérôme Loyet | May 23, 2010 11:56 pm | |
| Weibin Yao | May 24, 2010 1:13 am | |
| Eren Türkay | May 25, 2010 8:40 am | |
| gdork | Jan 26, 2011 8:06 pm | |
| Michael Shadle | Jan 26, 2011 8:13 pm | |
| Edho P Arief | Jan 26, 2011 9:22 pm | |
| Michael Shadle | Jan 26, 2011 10:03 pm | |
| tuurtnt | Dec 14, 2011 3:25 pm | |
| Kraiser | Feb 17, 2012 6:53 am | |
| Reinis Rozitis | Feb 17, 2012 8:39 am | |
| zsero | Oct 30, 2012 10:01 am |
| Subject: | Re: nginx 0day exploit for nginx + fastcgi PHP | |
|---|---|---|
| From: | Michael Shadle (mike...@gmail.com) | |
| Date: | May 22, 2010 12:25:54 pm | |
| List: | ru.sysoev.nginx | |
I believe that it will address the issue. Should give it a shot. I have some scripts that I had to use it on even though I have cgi.fix_pathinfo=1
On May 22, 2010, at 6:23 AM, Ding Deng <ding...@gmail.com> wrote:
Igor Sysoev <ig...@sysoev.ru> writes:
On Fri, May 21, 2010 at 10:07:00AM -0700, Avleen Vig wrote:
This is currently doing the rounds, so I thought it pertinent to post it here too.
http://www.webhostingtalk.com/showthread.php?p=6807475#post6807475
I don't know what nginx should do to fix this, but there are two workarounds given. If you allow file uploads (especially things like images) and use PHP FastCGI in the back end, you should take a loot at this now. The exploit allows for any arbitrary file which is uploaded, to be executed as PHP.
I do not see why this is treated as nginx bug ? Why is anyone able at all to upload images to /scripts directory ? Why does PHP have cgi.fix_pathinfo option ? BTW, I'm just curious how does lighttpd resolve this issue ?
I suspect the 'broken-scriptfilename' option did the trick, and there's also a 'Configuring PHP' section which explains the relationship between 'cgi.fix_pathinfo', PATH_INFO, PHP_SELF and 'broken-scriptfilename'.
http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:ModFastCGI
more on 'cgi.fix_pathinfo':
Igor, would 'fastcgi_split_path_info' help on this?
Also instead of
if ( $fastcgi_script_name ~ \..*\/.*php ) { return 403; }
it should be worked around as
location ~ \..*/.*\.php$ { return 403; }
location ~ \.php$ { return 403; }
_______________________________________________ nginx mailing list ngi...@nginx.org http://nginx.org/mailman/listinfo/nginx
_______________________________________________ nginx mailing list ngi...@nginx.org http://nginx.org/mailman/listinfo/nginx