Vulnerability of PHP + nginx bundle with a curved config

Summary

Announced: 2010-05-20
Credits: 80sec
Affects: sites on ngnix + php with the ability to upload files to the directory with fastcgi_pass

Background

Often there are similar lines on how to configure a nginx bundle with php-fpm / php-cgi:
')

location ~ \.php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; include fastcgi_params; } 

Problem Description

However, if you ask the server to give example.com/1px.gif/test.php , the URI will look like 1px.gif/test.php , which 1px.gif/test.php location \.php$ , and SCRIPT_FILENAME will become /scripts/1px.gif/test.php .

Further, if cgi.fix_pathinfo == 1 (by default), then SCRIPT_FILENAME will be equal to /scripts/1px.gif , and PATH_INFO will be equal to test.php

NB! In some configurations, the vulnerability triggers a URL like 1px.gif%00test.php

As a result, the php interpreter will process /scripts/1px.gif . I.e,

Impact

Any user will be able to upload files to the server (for example, avatars), then creating a special image that will simultaneously undergo GD size validation and executed by the php interpreter will have the right to execute arbitrary code on the server with the php rights of the process.

Workaround

Via in php.ini

 cgi.fix_pathinfo=0 

or through the nginx.conf config

 location ~ \.php$ { try_files $fastcgi_script_name =404; fastcgi_index index.php; fastcgi_param script_FILENAME /scripts$fastcgi_script_name; include fastcgi_params; } 

this will effectively close access to all non-existing .php files.