Results 1 to 5 of 5
Threaded View
-
29th Aug 2011, 07:00 AM #1OPMember
Securing php-fpm with nginx
Found this one while searching how to secure php-fpm.
Consider a situation where remote users can upload their own pictures to the site. Lets say that an attacker uploads an image to http://www.bambookites.com/uploads/random.gif. What happens, given the server block above, if the attacker then browses to http://www.bambookites.com/uploads/random.gif/somefilename.php?
- nginx will look at the URL, see that it ends in .php, and pass the path along to the PHP fastcgi handler.
- PHP will look at the path, find the .gif file in the filesystem, and store /somefilename.php in $_SERVER['PATH_INFO'], executing the contents of the GIF as PHP.
Since GIFs and other image types can contain arbitrary content within them, it?s possible to craft a malicious image that contains valid PHP. That is how the attacker was able to compromise the server: he or she uploaded a malicious image containing PHP code to the site, then browsed to the file in a way that caused it to be parsed as PHP.
This issue was first discovered almost a year ago. The original report can be found in Chinese at http://www.80sec.com/nginx-securit.html. There is also a discussion about it on the nginx forums.
This issue can be mitigated in a number of ways, but there are downsides associated with each of the possibilities:
- Set cgi.fix_pathinfo to false in php.ini (it?s set to true by default). This change appears to break any software that relies on PATH_INFO being set properly (eg: WordPress).
- Add try_files $uri =404; to the location block in your nginx config. This only works when nginx and the php-fcgi workers are on the same physical server.
- Add a new location block that tries to detect malicious URLs. Unfortunately, detecting based on the URL alone is impossible: files don?t necessarily need to have extensions (eg: README, INSTALL, etc).
- Explicitly exclude upload directories using an if statement in your location block. The disadvantage here is the use of a blacklist: you have to keep updating your nginx configuration every time you install a new application that allows uploads.
- Don?t store uploads on the same server as your PHP. The content is static anyway: serve it up from a separate (sub)domain. Of course, this is easier said than done: not all web applications make this easy to do.
masterb56 Reviewed by masterb56 on . Securing php-fpm with nginx Found this one while searching how to secure php-fpm. Source: https://nealpoole.com/blog/2011/04/setting-up-php-fastcgi-and-nginx-dont-trust-the-tutorials-check-your-configuration/ Rating: 5
Sponsored Links
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Similar Threads
-
[TUT] Securing /tmp and /dev/shm partion
By .:Raymond:. in forum Technical and Security TutorialsReplies: 6Last Post: 9th Jun 2011, 08:47 AM -
[TUT] Securing SSH a bit ;)
By .:Raymond:. in forum Technical and Security TutorialsReplies: 13Last Post: 9th Jun 2011, 08:29 AM -
[Selling] VPS Securing Services
By iL < in forum Completed TransactionsReplies: 2Last Post: 31st Mar 2010, 05:13 AM -
Need help securing VPS!!
By lukip006 in forum Server ManagementReplies: 5Last Post: 31st Aug 2009, 04:14 PM -
securing vb forum
By lenney in forum vBulletinReplies: 16Last Post: 19th Jul 2009, 08:43 PM
themaPoster - post to forums and...
Version 5.18 released. Open older version (or...