Hacker News new | past | comments | ask | show | jobs | submit login
Avoiding Arbitrary Code Execution with nginx and php-fastcgi (nealpoole.com)
61 points by nbpoole on April 8, 2011 | hide | past | favorite | 15 comments



This is another reason why it was a good idea to have my big application consist of only one public file which can easily be whitelisted. Everything else lives outside the web root and is never directly executed.

    location ~ ^/index\.php {
        proxy_pass   http://localhost:8080;
    }
Everything else in the web root is static files and can be served directly. The rest of the application uses an URL routing scheme based on PATH_INFO


I use something similar but a bit simpler to read:

  location = /index.php {
    fastcgi_pass 127.0.0.1:9000;
  }


Wow, am I glad I caught this link--I'm just now switching my servers from Apache to Nginx/php-fastcgi, configured more or less just like the article says...

I decided to switch to Nginx for the fabled performance benefits and relatively simple configuration. But this now makes me wonder what other gotchas there are in store for me... I have a long history with Apache, maybe I should just stick with it after all...


Articles like this is exactly why I come to HN.

I was planning to move my server from Apache to Nginx soon. I suppose it's as a good time as ever to learn any gotchas.


Likewise. I just set up a staging server based on the Linode tutorials. In another month I would have been hosed.


Was totally unaware of this issue in Nginx/PHP-FPM - going to check my conf files now!

UPDATE: Here's the thread on this issue right from NGINX.org http://forum.nginx.org/read.php?2,88845,page=3


Yup, that was the first page I found too: it's also the first result for "php nginx 0 day." I link to it a couple times in the post. :)


In fact, this is well documented: http://wiki.nginx.org/Pitfalls#Passing_Every_.7E_.5C.php.24_...


For strong security (especially for frameworks like CodeIgniter):

location = /index.php { proxy_pass http://localhost:8080; }

It only runs exactly index.php in the root.


Does this same issue exist within Lighttpd with a FastCGI setup?


I don't see any reason why it wouldn't. I do plan to test that later today though.


Tested with the suggested configuration from the lighttpd wiki. I could not replicate the issue, which is strange.


Is this PHP-FastCGI specific, or is PHP-FPM affected too?


PHP-FPM is FastCGI, with a process manager thrown in.


Oh, I'm not a sys admin, so I wasn't sure :) Thanks.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: