Some security vulnerable

What do you guys think about implement this into nginx just like it is
in apache?
if ( $fastcgi_script_name ~ …*/.*php ) {
return 403;
}
because without that some servers which allows to upload images are
vulnerable to external exploits.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,204051,204051#msg-204051

On Sun, Jun 5, 2011 at 5:01 PM, Kraiser [email protected] wrote:

What do you guys think about implement this into nginx just like it is
in apache?
if ( $fastcgi_script_name ~ …*/.*php ) {
return 403;
}
because without that some servers which allows to upload images are
vulnerable to external exploits.

or just

try_files $uri =404;

Ensiferous Wrote:

Please elaborate on how allowing a filename like
.dsadsada/sad.php is insecure.

Here is better explaintation of the issue :
http://forum.nginx.org/read.php?15,192150,192150

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,204051,204068#msg-204068

Please elaborate on how allowing a filename like .dsadsada/sad.php is
insecure.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,204051,204064#msg-204064

On 5 June 2011 12:01, Kraiser removed_email_address[email protected] wrote:

What do you guys think about implement this into nginx just like it is
in apache?
if ( $fastcgi_script_name ~ …*/.*php ) {
return 403;
}
because without that some servers which allows to upload images are
vulnerable to external exploits.

They’re vulnerable because of bad site design and configuration
(although I do think nginx’s location parsing logic makes it
uncomfortably easy to produce insecure configurations). Why not
eliminate the vulnerability instead of hardening against it with more
configuration? The .php match should not be attempted in any untrusted
user-upload directory – use sub-locations.

Thomas

On 5 Jun 2011 14h40 WEST, [email protected] wrote:

eliminate the vulnerability instead of hardening against it with
more configuration? The .php match should not be attempted in any
untrusted user-upload directory – use sub-locations.

I agree. Either nested locations and/or enumeration of all PHP enabled
locations is the way to go. The above is just a stopgap for a proper
meaning secure, configuration.

— appa

On Sun, Jun 5, 2011 at 7:03 PM, Kraiser [email protected] wrote:

Ensiferous Wrote:

Please elaborate on how allowing a filename like
.dsadsada/sad.php is insecure.

Here is better explaintation of the issue :
http://forum.nginx.org/read.php?15,192150,192150

or this http://forum.nginx.org/read.php?2,88845,88996

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs