PH Fast-CGI security pitfall

Hello,

I juste read this
articlehttps://nealpoole.com/blog/2011/04/setting-up-php-fastcgi-and-nginx-dont-trust-the-tutorials-check-your-configuration/which
highlight a common security pitfall to serve PHP files.
I don’t see any similar advice in your PHP on Fast-CGI
tutorialhttp://wiki.nginx.org/PHPFcgiExamplenor your
pitfalls page http://wiki.nginx.org/Pitfalls.

On the last page, you tell about the problem in the Pass Non-PHP
Requests
to PHP
section, you seem to point in the right direction in the Proxy
everything
section, but not for the right reasons.
You tell people to use an ‘if’ to check for file existence, but the use
of
‘try’ is much better, a you know it since you redirect to the IfIsEvil
page.

The article I gave you reference to offers 5 different wys to secure the
server. The ‘try_files $uri =404;’ seems to be a nice way of preventing
non-PHP script from being executed, isn’t it?
Thanks,

B. R.

On Tue, Nov 22, 2011 at 2:32 PM, B.R. [email protected] wrote:

You tell people to use an ‘if’ to check for file existence, but the use of
‘try’ is much better, a you know it since you redirect to the IfIsEvil page.

The article I gave you reference to offers 5 different wys to secure the
server. The ‘try_files $uri =404;’ seems to be a nice way of preventing
non-PHP script from being executed, isn’t it?

I generally use the following template for serving PHP via FastCGI:

location ~ .php$ {
if (!-f $request_filename) { return 404; }

fastcgi_pass 127.0.0.1:8000;
fastcgi_param SCRIPT_FILENAME $request_filename;
...

}

The ‘if’ statement causes 404 to be returned unless the requested file
actually exists. Making sure that people can’t upload files ending in
‘.php’ is a separate mater, but I believe that this configuration
takes care of the security issue described in your first link.

For the given example, nginx detects that
NameBright - Coming Soon doesn’t
refer to an actual php file, so nothing is passed to the interpreter.

  • Max

Your use of the if switch is enlisted in the pitfalls page of
nginxhttp://wiki.nginx.org/Pitfalls(see
Check IF File Exists section) :o)
It is said you should use the try one!

My message was: is using the try switch with the ‘=404’ the right way?
If
yes can someone add that to the nginx wiki?

B. R.

According previous article

in your template better to write:

location ~ .php$ {
try_files $uri =404;

 fastcgi_pass 127.0.0.1:8000;
 fastcgi_param SCRIPT_FILENAME $request_filename;
 ...

}

It doesn’t matter whether you use if or try_files. If people would
actually read the if is evil page then it specifically states that “It
is important to note that the behaviour of if is not inconsistent, given
two identical requests it will not randomly fail on one and work on the
other, with proper testing and understanding ifs can be used.”

If you prefer if then use an if, if you prefer try_files then use a
try_files, there’s really no reason to agonize over this issue.

Posted at Nginx Forum: