📜 ⬆️ ⬇️

Vulnerability of PHP + nginx bundle with a curved config


Announced: 2010-05-20
Credits: 80sec
Affects: sites on ngnix + php with the ability to upload files to the directory with fastcgi_pass


Often there are similar lines on how to configure a nginx bundle with php-fpm / php-cgi:
location ~ \.php$ { fastcgi_pass; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; include fastcgi_params; } 

Problem Description

However, if you ask the server to give example.com/1px.gif/test.php , the URI will look like 1px.gif/test.php , which 1px.gif/test.php location \.php$ , and SCRIPT_FILENAME will become /scripts/1px.gif/test.php .

Further, if cgi.fix_pathinfo == 1 (by default), then SCRIPT_FILENAME will be equal to /scripts/1px.gif , and PATH_INFO will be equal to test.php

NB! In some configurations, the vulnerability triggers a URL like 1px.gif%00test.php

As a result, the php interpreter will process /scripts/1px.gif . I.e,


Any user will be able to upload files to the server (for example, avatars), then creating a special image that will simultaneously undergo GD size validation and executed by the php interpreter will have the right to execute arbitrary code on the server with the php rights of the process.


Via in php.ini


or through the nginx.conf config
 location ~ \.php$ { try_files $fastcgi_script_name =404; fastcgi_index index.php; fastcgi_param script_FILENAME /scripts$fastcgi_script_name; include fastcgi_params; } 

this will effectively close access to all non-existing .php files.

Source: https://habr.com/ru/post/100961/

All Articles