Security issue on Nginx, PHP & fastcgi_split_path_info

Howard asked:

According to this post, it was said that if I am using PHP/Nginx, for better security, I should either

cgi.fix_pathinfo = 0

or

if ( $fastcgi_script_name ~ ..*/.*php ) {
  return 403;
}

In other tutorial it recommend the style of

fastcgi_split_path_info ^((?U).+.php)(/?.+)$;

Are they contradictive to each others? Any security recommendation?

Thanks.

My answer:


You’re referring to an issue where an attacker can upload arbitrary code to an nginx web server and then trick the server into executing it as PHP. (No CVE exists for this issue as it is technically a misconfiguration rather than a vulnerability.)

Any of the methods you listed can be used to remediate the issue.

Another, simpler way of remediating this issue is to add the following into your PHP location:

try_files $uri =404;

Though this only works if nginx and PHP are running on the same server, which is almost always true.

The recommendation, of course, is that you clearly document what you’re doing and why.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.