A solution to the nginx file type error parsing vulnerability is provided.

[Article banquet Article version: v1.2 last modified: 2010.05.24 reprinted please specify the original article link: http://blog.zyan.cc/nginx_0day/]

Note: If you have read this article before, January 26, May 23, 2010, please set it according to the latest configuration in V1.1.

Yesterday, 80sec reported that nginx had a serious 0-day vulnerability. For details, see nginx file type error Parsing Vulnerability. As long as the user has the permission to upload images to the nginx + PHP server, there is a possibility of intrusion.

In fact, this vulnerability is not nginx vulnerability, but PHP path_info vulnerability, see: http://bugs.php.net/bug.php? Id = 50852 & edit = 1

For example, if a user uploads a photo, the access address is photo.

Temporary solutions provided on the Internet include:

Method ① modify PHP. ini, set CGI. fix_pathinfo = 0, and restart PHP-CGI. This modification affects applications that use the path_info pseudo-static, such as my previous Blog Post URL: The http://blog.zyan.cc/read.php/348.htm won't be accessible.

Method ② Add the following content to the nginx configuration file and restart: if ($ fastcgi_script_name ~ \ .. * \/. * PHP) {return 403 ;}. This match affects URL access to a http://www.domain.com/software/5.0/test.php like a http://www.domain.com/goto.php/phpwind (5.0 as a directory.

Method 3: For the location {...} storing images, or the virtual host server {...}, only static access is allowed, and PHP access is not configured. For example, images and attachments uploaded on the Jinshan Xiaoyao Network Forum and SNS will be transmitted to a dedicated image and attachment storage server cluster (pic.xoyo.com). These servers provide pure static services, no dynamic PHP configuration. Almost all major websites are separated from image servers. Therefore, this nginx vulnerability has little impact on large websites.

I provide a temporary solution to modify the nginx. conf configuration file, which is compatible:

Location ~ *. * \. Php ($ | /)
{
If ($ request_filename ~ * (. *) \. Php ){
Set $ php_url $1;
}
If (! -E $ php_url.php ){
Return 403;
}

Fastcgi_pass 127.0.0.1: 9000;
Fastcgi_index index. php;
Fcinclude gi. conf;
}

You can also write the following content in the fcgi. conf file for reference by multiple virtual hosts:

If ($ request_filename ~ * (. *) \. Php ){
Set $ php_url $1;
}
If (! -E $ php_url.php ){
Return 403;
}

Fastcgi_param gateway_interface cgi/1.1;
Fastcgi_param server_software nginx;

Fastcgi_param QUERY_STRING $ QUERY_STRING;
Fastcgi_param request_method $ request_method;
Fastcgi_param content_type $ content_type;
Fastcgi_param content_length $ content_length;

Fastcgi_param script_filename $ document_root $ fastcgi_script_name;
Fastcgi_param script_name $ URI;
Fastcgi_param request_uri $ request_uri;
Fastcgi_param document_uri $ document_uri;
Fastcgi_param document_root $ document_root;
Fastcgi_param server_protocol $ server_protocol;

Fastcgi_param remote_addr $ remote_addr;
Fastcgi_param remote_port $ remote_port;
Fastcgi_param server_addr $ server_addr;
Fastcgi_param server_port $ server_port;
Fastcgi_param SERVER_NAME $ SERVER_NAME;

# PHP only, required if PHP was built with -- enable-force-CGI-Redirect
Fastcgi_param redirect_status 200;

　　Appendix: Document modification history

● [July 22, May 21, 2010] [version 1.0] New

● [May 23, 2010] [version 1.1] for the "If you construct a file like/..trojan.jpg/dummy. php/?" proposed by Michael /? ABCD = 1, seems to be able to bypass the prevention of nginx configuration ", made configuration changes to prevent such a situation. The URL for the test is as follows:
Http://blog.zyan.cc/demo/0day/phpinfo.jpg (PHP code inside)
Http://blog.zyan.cc/demo/0day/phpinfo.jpg/.php
Http://blog.zyan.cc/demo/0day/phpinfo.jpg/dummy.php
Http://blog.zyan.cc/demo/0day/phpinfo.jpg/dummy.php? ABCD = 1

The test URL is as follows:
Http://blog.zyan.cc/demo/0day/phpinfo.php (this is the normal PHP file)
Http://blog.zyan.cc/demo/0day/phpinfo.php/test
Http://blog.zyan.cc/demo/0day/phpinfo.php/news123.html
Http://blog.zyan.cc/read.php/348.htm

● [July 22, May 24, 2010] [version 1.2] corrected text description errors.

 

A solution to the nginx file type error parsing vulnerability is provided.