Nginx file type error Parsing Vulnerability

Nginx is a high-performance web server that is widely used. It is often used as a reverse proxy and supports PHP operations. 80sec finds that there is a serious security problem. By default, it may cause the server to incorrectly parse any types of files in PHP mode, which will lead to serious security problems, this allows malicious attackers to attack nginx servers that support php.

Vulnerability Analysis: nginx supports php running in cgi Mode by default. For example, in the configuration file
Program code
Ocation ~ . Php $ {
Root html;
Fastcgi_pass 127.0.0.1: 9000;
Fastcgi_index index. php;
Fastcgi_param SCRIPT_FILENAME/scripts $ fastcgi_script_name;
Include fastcgi_params;
}
You can use the URI environment variable to select the request. The key variable SCRIPT_FILENAME passed to the backend Fastcgi is determined by $ fastcgi_script_name generated by nginx, through analysis, we can see that $ fastcgi_script_name is directly controlled by the URI environment variable. Here is the problem. To better support extraction of PATH_INFO, the cgi. fix_pathinfo option exists in the configuration options of PHP. The purpose is to extract the real script name from SCRIPT_FILENAME.
Assume that there is one, and we will access it in the following way:
Program code

POC: compile an nginxto support the php site, and add/80sec. php to a resource file such as robots.txt. You can see the following differences at this time:

Http://www.80sec.com/robots.txt access

[Code] HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Thu, 20 May 2010 10:05:30 GMT
Content-Type: text/plain
Content-Length: 18
Last-Modified: Thu, 20 May 2010 06:26:34 GMT
Connection: keep-alive
Keep-Alive: timeout = 20
Accept-Ranges: bytes

Access http://www.80sec.com/robots.txt/80sec.php
Program code
HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Thu, 20 May 2010 10:06:49 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout = 20
X-Powered-By: PHP/5.2.6

The change in Content-Type indicates the change in backend Resolution, and the site may have a vulnerability.

Vulnerability vendor: http://www.nginx.org

Solution:

We have tried to contact the official website, but you can reduce the loss through the following methods:

Program code
Disable cgi. fix_pathinfo to 0

Or

Program code
If ($ fastcgi_script_name ~ .. */. * Php ){
Return 403;
}