Some security vulnerable

dubstep · June 5, 2011, 12:02pm

What do you guys think about implement this into nginx just like it is
in apache?
if ( $fastcgi_script_name ~ ..*/.*php ) {
return 403;
}
because without that some servers which allows to upload images are
vulnerable to external exploits.

Posted at Nginx Forum:

Kraiser · June 5, 2011, 12:25pm

On Sun, Jun 5, 2011 at 5:01 PM, Kraiser [email protected] wrote:

What do you guys think about implement this into nginx just like it is
in apache?
if ( $fastcgi_script_name ~ ..*/.*php ) {
return 403;
}
because without that some servers which allows to upload images are
vulnerable to external exploits.

or just

try_files $uri =404;

Kraiser · June 5, 2011, 2:03pm

Ensiferous Wrote:

Please elaborate on how allowing a filename like
.dsadsada/sad.php is insecure.

Here is better explaintation of the issue :

Posted at Nginx Forum:

Kraiser · June 5, 2011, 1:21pm

Please elaborate on how allowing a filename like .dsadsada/sad.php is
insecure.

Posted at Nginx Forum:

Kraiser · June 5, 2011, 3:40pm

On 5 June 2011 12:01, Kraiser [email protected] wrote:

What do you guys think about implement this into nginx just like it is
in apache?
if ( $fastcgi_script_name ~ ..*/.*php ) {
return 403;
}
because without that some servers which allows to upload images are
vulnerable to external exploits.

They’re vulnerable because of bad site design and configuration
(although I do think nginx’s location parsing logic makes it
uncomfortably easy to produce insecure configurations). Why not
eliminate the vulnerability instead of hardening against it with more
configuration? The .php match should not be attempted in any untrusted
user-upload directory – use sub-locations.

Thomas

Kraiser · June 5, 2011, 7:41pm

On 5 Jun 2011 14h40 WEST, [email protected] wrote:

eliminate the vulnerability instead of hardening against it with
more configuration? The .php match should not be attempted in any
untrusted user-upload directory – use sub-locations.

I agree. Either nested locations and/or enumeration of all PHP enabled
locations is the way to go. The above is just a stopgap for a proper
meaning secure, configuration.

— appa

Kraiser · June 5, 2011, 2:18pm

On Sun, Jun 5, 2011 at 7:03 PM, Kraiser [email protected] wrote:

Ensiferous Wrote:

Please elaborate on how allowing a filename like
.dsadsada/sad.php is insecure.

Here is better explaintation of the issue :
Minor FastCGI issues

or this Re: nginx 0day exploit for nginx + fastcgi PHP