Nginx + cgi php Parsing Vulnerabilities

The title is a bit big. After careful analysis, we usually encounter configuration problems. If someone wants to attack the server, they will scan the machine for vulnerabilities to upload malicious script files. Uploading scripts is the first step, when a malicious php script is uploaded to the server (its suffix may be php, or may disguise other suffixes such as jpg), if the script can be parsed and executed, attackers can do whatever they want. To avoid this problem from the source, you can start from the following two aspects: 1. before uploading, you should determine that the file cannot be a php script file. If the file cannot be uploaded (including disguised suffixes ). 2. After the upload, you should put the uploaded attachment file on a single server. This machine only performs static parsing, so there is no problem. The first one needs to write a program to ensure that there is nothing to say. The simplest way to determine the file suffix is to determine the file type in the file, or if the file type is more complex, you can find it online. Article 2 The solution may be difficult due to limited resources. If there is no condition for only one machine, isn't it just a knife? I am a fish. In fact, you can avoid this by configuring ngingx to prevent parsing and uploading PHP files in the directory. Location ~ * ^/Upload/. * \. (php | php5) ($ |/) {deny all;} avoid the execution of scripts disguised as other suffixes. For example, if a pseudofile is uploaded through a certain category, uploadhas a php script a.jpg with a pseudo image. http://www.nginx.cn/upload/a.jpg/b.php During access, if the SCRIPT_FILENAME passed to CGI for execution is $ root/upload/a.jpg/B without special settings. when cgi is set in php. when fix_pathinfo = 1, PHP will use the '/' separator to start from the last file and find the existing file for execution. $ Root/upload/a.jpg/B. php $ root/upload/a.jpg the final disguised script will be executed. Solution: 1. Disable cgi. fix_pathinfo and set it to cgi. fix_pathinfo = 0, but it will affect the program that uses PATH_INFO for rewrite. 2. location ~ *. * \. Php ($ |/) {if ($ request_filename ~ * (. *) \. Php) {set $ php_url $1 ;}if (! -E $ php_url.php) {return 403 ;}}