Nginx+Php-fpm Dangerous Bug

Server NGINX
#1

This is very dangerous Remote File Inclusion Bug in Nginx+php-fpm
The Nginx+php-fpm shows dangerous bug because its allowed the PhpShell
hidden in Image to Running,

if you have php script like this:

<?php $rfi = $_GET['call']; include($rfi); ?>

and the Php-shell formed in image(jpg/gif) can be executed to running
with command like this

but it doesnt affect when i tried on Apache

as an example you can see here:

http://www.ceriwis.org/rfi.php?hal=ass.jpg <------------ using NGINX and
phpshell executed

and

http://ceri.ws/rfi.php?hal=ass.jpg <---------------- using Apace and
phpshell unable to executed

someone told me i should use:
1.try_files $uri =404; or this:
2.if (!-f $request_filename) { return 404; } or this
3.cgi.fix_pathinfo=0
4.http://cnedelcu.blogspot.com/2010/05/nginx-php-via-fastcgi-important.html
5.Igor sysoev tips :
http://forum.nginx.org/read.php?2,88845,88858#msg-88858
but all of them won’t work, i still can access
http://www.ceriwis.org/rfi.php?hal=ass.jpg and the phpshell still
appear.

im using Nginx 0.8.53 and php-fpm i got my website hacked 3 times by
this bug
i hope someone knows what to do with this situation because i think this
is serious bug and there will be many victims if this thing not solved.

thanks

Please give me solution. thanks

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,219532,219532#msg-219532

#2

On 3 Dez 2011 08h26 WET, [email protected] wrote:

?>
and phpshell executed
http://forum.nginx.org/read.php?2,88845,88858#msg-88858 but all of
them won’t work, i still can access
http://www.ceriwis.org/rfi.php?hal=ass.jpg and the phpshell still
appear.

The try_files $uri =404 is not very smart since it involves making a
spurious stat() call AFAIK.

Instead you should enumerate all your php files with exact ‘=’
locations and place something
like this at the end of your config.

location ~* .php {
return 404;
}

Or if relying on PATH_INFO you should do something like this:

    ## Regular PHP processing.
    location ~ ^(?<script>.+\.php)(?<path_info>.*)$ {
        include fastcgi.conf;
        ## The fastcgi_params must be redefined from the ones
        ## given in fastcgi.conf. No longer standard names
        ## but arbitrary: named patterns in regex.
        fastcgi_param SCRIPT_FILENAME $document_root$script;
        fastcgi_param SCRIPT_NAME $script;
        fastcgi_param PATH_INFO $path_info;
        ## Passing the request upstream to the FastCGI
        ## listener.
        fastcgi_pass phpcgi;
    }

Also your script is broken since you grab the value from the URI
without doing any filtering. So you’re setting yourself up for being
exploited. Even with a safe configuration.

Put also:

allow_url_fopen = Off
allow_url_fopen = Off

in your php.ini

See: http://www.php.net/manual/en/function.filter-var.php

Please give me solution. thanks

Write code that sanitizes the input appropriately. Of course using
also a safe configuration.

— appa

#3

This is my PHP configuration :

server {
listen 80;
server_name www.ceriwis.org;
#rewrite ^/(.*) http://ceriwis.us/$1 permanent;
client_max_body_size 50M;

#access_log logs/host.access.log main;

location / {
root /home/ceriorg/public_html;
index index.php index.html;

location /crwscp {
auth_basic “Administrator Login”;
auth_basic_user_file /home/htpasswd.txt;
}

location ~ …/..php {
return 403;
}

if ($http_user_agent ~* “^.(sharp).”) {
return 403;
}

}

error_page 404 /404.html;
location = /404.html {
root /usr/share/nginx/html;
}

redirect server error pages to the static page /50x.html

error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}

pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000

location ~ .php$ {
root public_html;
include fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param HTTPS on;
fastcgi_param SCRIPT_FILENAME
/home/ceriorg/public_html$fastcgi_script_name;
#fastcgi_intercept_errors on;

}

}

I still dont understand the point you told me, i need to:
put (allow_url_fopen = Off) in php.ini
and then what else ?
thanks

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,219532,219535#msg-219535

#4

Also your script is broken since you grab the value from the URI
without doing any filtering. So you’re setting yourself up for being
exploited. Even with a safe configuration.

Until now im unable to find which script caused hacker can access
phpshell formed in Image
that’s just a script i found in google and its not supposed to be
running and unable to executed on Apache
see this: http://ceri.ws/rfi.php?hal=ass.jpg <---------------- using
Apace and phpshell unable to executed
why does it wont executed on Apache but executed on Nginx? this is very
freaking me out

i wish someone can help me to stop it executed like apache does.
thanks

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,219532,219536#msg-219536

#5

hi man, Until now im unable to find which script caused hacker can
access phpshell formed in Image
that’s just a script i found in google and its not supposed to be
running and unable to executed on Apache
see this: http://ceri.ws/rfi.php?hal=ass.jpg <---------------- using
Apace and phpshell unable to executed
why does it wont executed on Apache but executed on Nginx? this is very
freaking me out

i wish someone can help me to stop it executed like apache does.
thanks

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,219532,219538#msg-219538

#6

On Sat, Dec 3, 2011 at 3:26 PM, escavern [email protected] wrote:

?>
…you must be kidding me. That’s like asking why you get sql
injection when you have code like this: mysql_query(“select * from
users where username = ‘$_GET[‘user’]’”).

use

echo file_get_contents($rfi);

instead. Note that even with this someone can set parameter to
something like “…/index.php” and with sufficient effort might be able
to locate your database etc (or your /etc/passwd). Something like

echo file_get_contents(’./uploaddir/’.basename($rfi));

Is much better. Note that I’m not sufficiently knowledgeable in php so
the recommendation above might still be insecure.

Apache has more hand-holding feature which is why it doesn’t work.


O< ascii ribbon campaign - stop html mail - www.asciiribbon.org

#7

On Sat, Dec 3, 2011 at 4:09 PM, escavern [email protected] wrote:

i wish someone can help me to stop it executed like apache does.
thanks

http://ceri.ws/rfi.php?hal=/etc/httpd/conf/httpd.conf


O< ascii ribbon campaign - stop html mail - www.asciiribbon.org

#8

Today Dec 3, 2011 at 03:26 escavern wrote:

?>

Include() for files from GET? Do you really think it is good php code?
http://php.net/manual/en/function.include.php

and the Php-shell formed in image(jpg/gif) can be executed to running
with command like this
http://www.your-domain.com/script.php?call=phpshell.jpg

It do exactly what you want(write) - “includes and evaluates” that
file.
Use fopen()+fread(), file_get_contents() or readfile() and sanitize
input from GET.

but it doesnt affect when i tried on Apache

Most likely mod_php and php-fpm use different php.ini or even
DOCUMENT_ROOT.

http://www.ceriwis.org/rfi.php?hal=info.php - display_errors=on:
Warning: include(info.php) [function.include]: failed to open stream:
No such file or directory in /home/ceriorg/public_html/rfi.php on line 4
Warning: include(info.php) [function.include]: failed to open stream:
No such file or directory in /home/ceriorg/public_html/rfi.php on line 4
Warning: include() [function.include]: Failed opening ‘info.php’ for
inclusion (include_path=’.:/usr/lib/php:/usr/local/lib/php’) in
/home/ceriorg/public_html/rfi.php on line 4

http://ceri.ws/rfi.php?hal=info.php - display_errors=off and silence.

someone told me i should use:
1.try_files $uri =404; or this:
2.if (!-f $request_filename) { return 404; } or this
3.cgi.fix_pathinfo=0
4.http://cnedelcu.blogspot.com/2010/05/nginx-php-via-fastcgi-important.html
5.Igor sysoev tips :
http://forum.nginx.org/read.php?2,88845,88858#msg-88858
but all of them won’t work, i still can access
http://www.ceriwis.org/rfi.php?hal=ass.jpg and the phpshell still
appear.

  1. Fix php code.


WNGS-RIPE

#9

2011/12/3 Edho A. [email protected]:

On Sat, Dec 3, 2011 at 4:09 PM, escavern [email protected] wrote:

i wish someone can help me to stop it executed like apache does.
thanks

http://ceri.ws/rfi.php?hal=/etc/httpd/conf/httpd.conf

http://ceri.ws/rfi.php?hal=/etc/redhat-release, welcome on CentOS 5.7 :slight_smile:

please don’t ask nginx nor FPM to secure an insecure code like this one
!
learn how to sanitize inputs, learn basics of security coding or ask a
professional :slight_smile:

what else ?

++ fat

#10

ok thanks man… :slight_smile:
now i need 2 nginx rewrite :

  1. to disable php running in folder /myfolder
    so if there is a php file like http://www.my-domain.com/script.php it
    will not executed.

  2. i need rewrite to return 403 if
    http://www.ceriwis.org/rfi.php?hal=ass.jpg” same as
    "http://www.ceriwis.org/rfi.php*.jpg* so if there is “jpg” after the php
    extension it will return 403… is that possible ? because im not good
    creating nginx rewrite :slight_smile:

can you help me guys ?

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,219532,219543#msg-219543

#11

correction:

ok thanks man… :slight_smile:
now i need 2 nginx rewrite :

  1. to disable php running in folder /myfolder
    so if there is a php file like
    http://www.my-domain.com/myfolder/script.php it will not be executed.

  2. i need rewrite to return 403 if
    http://www.ceriwis.org/rfi.php?hal=ass.jpg” same as
    "http://www.ceriwis.org/rfi.php*.jpg* so if there is “jpg” after the php
    extension it will return 403… is that possible ? because im not good
    creating nginx rewrite :slight_smile:

can you help me guys ?

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,219532,219544#msg-219544

#12

Today Dec 3, 2011 at 04:48 escavern wrote:

correction:

ok thanks man… :slight_smile:
now i need 2 nginx rewrite :

  1. to disable php running in folder /myfolder
    so if there is a php file like
    http://www.my-domain.com/myfolder/script.php it will not be executed.

http://nginx.org/en/docs/http/ngx_http_core_module.html#location
location ^~ /myfolder {}

  1. i need rewrite to return 403 if
    http://www.ceriwis.org/rfi.php?hal=ass.jpg” same as
    "http://www.ceriwis.org/rfi.php*.jpg* so if there is “jpg” after the php
    extension it will return 403… is that possible ? because im not good
    creating nginx rewrite :slight_smile:

Add to location ~ .php$ :
if ($args ~* .jpg) {return 403;}


WNGS-RIPE

#13

How to :

to disable php running in folder /myfolder
so if there is a php file like
http://www.my-domain.com/myfolder/script.php it will not be executed.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,219532,219548#msg-219548

#14

Thanks man !

Today Dec 3, 2011 at 04:48 escavern wrote:

correction:

ok thanks man… :slight_smile:
now i need 2 nginx rewrite :

  1. to disable php running in folder /myfolder
    so if there is a php file like
    http://www.my-domain.com/myfolder/script.php it will not be executed.

http://nginx.org/en/docs/http/ngx_http_core_module.html#location
location ^~ /myfolder {}

  1. i need rewrite to return 403 if
    http://www.ceriwis.org/rfi.php?hal=ass.jpg” same as
    "http://www.ceriwis.org/rfi.php*.jpg* so if there is “jpg” after the
    php
    extension it will return 403… is that possible ? because im not
    good
    creating nginx rewrite :slight_smile:

Add to location ~ .php$ :
if ($args ~* .jpg) {return 403;}

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,219532,219547#msg-219547

#15

I feel that you are taking the wrong route, because you ignore numerous
suggestions from people on this forum to fix your PHP code, but here’s
how to disable PHP scripts in myfolder:

location ~ ^/myfolder/.*.php$ {
return 403;
}

Which forum software are you running? Perhaps, changing the forum
application will fix all of your problems without the need to alter
nginx confoguration. Ask yourself why remote file inclusion is ever
necessary and why is it there in the first place?

Andrejs

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,219532,219554#msg-219554

#16

locojohn Wrote:

changing the forum application will fix all of
your problems without the need to alter nginx
confoguration. Ask yourself why remote file
inclusion is ever necessary and why is it there in
the first place?

Andrejs

thanks for your help. i really appreciate it. im using VBulletin and it
always updated

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,219532,219562#msg-219562

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs