This is very dangerous Remote File Inclusion Bug in Nginx+php-fpm
The Nginx+php-fpm shows dangerous bug because its allowed the PhpShell
hidden in Image to Running,
if you have php script like this:
<?php
$rfi = $_GET['call'];
include($rfi);
?>
and the Php-shell formed in image(jpg/gif) can be executed to running
with command like this
but it doesnt affect when i tried on Apache
im using Nginx 0.8.53 and php-fpm i got my website hacked 3 times by
this bug
i hope someone knows what to do with this situation because i think this
is serious bug and there will be many victims if this thing not solved.
The try_files $uri =404 is not very smart since it involves making a
spurious stat() call AFAIK.
Instead you should enumerate all your php files with exact ‘=’
locations and place something
like this at the end of your config.
location ~* .php {
return 404;
}
Or if relying on PATH_INFO you should do something like this:
## Regular PHP processing.
location ~ ^(?<script>.+\.php)(?<path_info>.*)$ {
include fastcgi.conf;
## The fastcgi_params must be redefined from the ones
## given in fastcgi.conf. No longer standard names
## but arbitrary: named patterns in regex.
fastcgi_param SCRIPT_FILENAME $document_root$script;
fastcgi_param SCRIPT_NAME $script;
fastcgi_param PATH_INFO $path_info;
## Passing the request upstream to the FastCGI
## listener.
fastcgi_pass phpcgi;
}
Also your script is broken since you grab the value from the URI
without doing any filtering. So you’re setting yourself up for being
exploited. Even with a safe configuration.
Also your script is broken since you grab the value from the URI
without doing any filtering. So you’re setting yourself up for being
exploited. Even with a safe configuration.
Until now im unable to find which script caused hacker can access
phpshell formed in Image
that’s just a script i found in google and its not supposed to be
running and unable to executed on Apache
see this: http://ceri.ws/rfi.php?hal=ass.jpg <---------------- using
Apace and phpshell unable to executed
why does it wont executed on Apache but executed on Nginx? this is very
freaking me out
i wish someone can help me to stop it executed like apache does.
thanks
hi man, Until now im unable to find which script caused hacker can
access phpshell formed in Image
that’s just a script i found in google and its not supposed to be
running and unable to executed on Apache
see this: http://ceri.ws/rfi.php?hal=ass.jpg <---------------- using
Apace and phpshell unable to executed
why does it wont executed on Apache but executed on Nginx? this is very
freaking me out
i wish someone can help me to stop it executed like apache does.
thanks
?>
…you must be kidding me. That’s like asking why you get sql
injection when you have code like this: mysql_query(“select * from
users where username = ‘$_GET[‘user’]’”).
use
echo file_get_contents($rfi);
instead. Note that even with this someone can set parameter to
something like “…/index.php” and with sufficient effort might be able
to locate your database etc (or your /etc/passwd). Something like
It do exactly what you want(write) - “includes and evaluates” that
file.
Use fopen()+fread(), file_get_contents() or readfile() and sanitize
input from GET.
but it doesnt affect when i tried on Apache
Most likely mod_php and php-fpm use different php.ini or even
DOCUMENT_ROOT.
http://www.ceriwis.org/rfi.php?hal=info.php - display_errors=on:
Warning: include(info.php) [function.include]: failed to open stream:
No such file or directory in /home/ceriorg/public_html/rfi.php on line 4
Warning: include(info.php) [function.include]: failed to open stream:
No such file or directory in /home/ceriorg/public_html/rfi.php on line 4
Warning: include() [function.include]: Failed opening ‘info.php’ for
inclusion (include_path=’.:/usr/lib/php:/usr/local/lib/php’) in
/home/ceriorg/public_html/rfi.php on line 4
please don’t ask nginx nor FPM to secure an insecure code like this one
!
learn how to sanitize inputs, learn basics of security coding or ask a
professional
I feel that you are taking the wrong route, because you ignore numerous
suggestions from people on this forum to fix your PHP code, but here’s
how to disable PHP scripts in myfolder:
location ~ ^/myfolder/.*.php$ {
return 403;
}
Which forum software are you running? Perhaps, changing the forum
application will fix all of your problems without the need to alter
nginx confoguration. Ask yourself why remote file inclusion is ever
necessary and why is it there in the first place?
changing the forum application will fix all of
your problems without the need to alter nginx
confoguration. Ask yourself why remote file
inclusion is ever necessary and why is it there in
the first place?
Andrejs
thanks for your help. i really appreciate it. im using VBulletin and it
always updated
