Now tried to test for the exploit ( http://forum.nginx.org/read.php?2,88845,88996) , nginx return 403 directly without hitting my backend php =============== curl -s -D - 'http://www.example.com/test.jpg/f.php' HTTP/1.1 403 Forbidden Server: nginx Date: Fri, 14 Dec 2012 17:40:03 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Access denied. =============== Which version it was fixed? Thanks.
on 2012-12-15 08:01
on 2012-12-15 15:20
On Sat, Dec 15, 2012 at 03:00:53PM +0800, howard chen wrote: Hi there, > Now tried to test for the exploit ( > http://forum.nginx.org/read.php?2,88845,88996) , nginx return 403 directly > without hitting my backend php > Which version it was fixed? What's in your nginx.conf? The one location that matches /test.jpg/f.php, plus the server-level config if relevant? I suspect it was fixed in "whichever version you used a suitable configuration in". (But maybe I misunderstood the nature of the problem.) f -- Francis Daly email@example.com