Nginx file type error Parsing Vulnerability and Solution

Vulnerability Description: nginx is a high-performance web server that is widely used. It is often used as a reverse proxy and supports PHP operations. 80sec finds that there is a serious security problem. By default, it may cause the server to incorrectly parse any types of files in PHP mode, which will lead to serious security problems, this allows malicious attackers to attack nginx servers that support PHP.

Vulnerability Analysis: nginx supports PHP running in CGI Mode by default. For example, in the configuration file

Location ~ \. Php $ {
Root HTML;
Fastcgi_pass 127.0.0.1: 9000;
Fastcgi_index index. php;
Fastcgi_param script_filename/scripts $ fastcgi_script_name;
Include fastcgi_params;
}

You can use the URI environment variable to select the request. The key variable script_filename passed to the backend FastCGI is determined by $ fastcgi_script_name generated by nginx, through analysis, we can see that $ fastcgi_script_name is directly controlled by the URI environment variable. Here is the problem. To better support extraction of path_info, the CGI. fix_pathinfo option exists in the configuration options of PHP. The purpose is to extract the real script name from script_filename.
Assume that there is one, and we will access it in the following way:

Http://www.80sec.com/80sec.jpg/80sec.php

You will get a URI

/80sec.jpg/80sec. php

After the location command, the request will be sent to the backend FastCGI for processing. nginx sets the environment variable script_filename for it. The content is

/Scripts/80sec.jpg/80sec. php

In other webservers such as Lighttpd, we find that the script_filename is correctly set

/Scripts/80sec.jpg

This problem does not exist.
When the backend FastCGI receives this option, it determines whether to perform additional processing on script_filename Based on the fix_pathinfo configuration, in general, setting fix_pathinfo will affect the application that uses path_info for route selection. Therefore, this option is generally enabled. PHP uses this option to search for the real script file name. The search method is to check whether the file exists. At this time, the script_filename and path_info are separated

/Scripts/80sec.jpg and 80sec. php

Finally, with/scripts/80sec.jpg as the script to be executed for this request, attackers can enable nginx to parse any types of files using PHP.
PoC: compile an nginxto support the PHP site, and add/80sec. php to a resource file such as robots.txt. You can see the following differences at this time:
Http://www.80sec.com/robots.txt access

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Thu, 20 May 2010 10:05:30 GMT
Content-Type: text/plain
Content-Length: 18
Last-modified: Thu, 20 May 2010 06:26:34 GMT
Connection: keep-alive
Keep-alive: timeout = 20
Accept-ranges: bytes

Access http://www.80sec.com/robots.txt/80sec.php

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Thu, 20 May 2010 10:06:49 GMT
Content-Type: text/html
Transfer-encoding: chunked
Connection: keep-alive
Keep-alive: timeout = 20
X-powered-by: PHP/5.2.6

The change in Content-Type indicates the change in backend Resolution, and the site may have a vulnerability.
Vulnerability vendor: http://www.nginx.org
Solution:
We have tried to contact the official website, but you can reduce the loss through the following methods:

Disable CGI. fix_pathinfo to 0

Or

If ($ fastcgi_script_name ~ \ .. * \/. * PHP ){
Return 403;
} When using this method, place the code in the configuration files of each website under nginx/sites-enabled/, modify the code, and restart nginx. (Note: You can use this method to open a rewritten website and view the redirection address)