Article Title: nginx file type error Parsing Vulnerability. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Vulnerability Description: nginx is a high-performance web server that is widely used. It is often used as a reverse proxy and supports PHP operations. 80sec finds that there is a serious security problem. By default, it may cause the server to incorrectly parse any types of files in PHP mode, which will lead to serious security problems, this allows malicious attackers to attack nginx servers that support php.
Vulnerability Analysis: nginx supports php running in cgi Mode by default. For example, in the configuration file
Location ~ \. Php $ {
Root html;
Fastcgi_pass 127.0.0.1: 9000;
Fastcgi_index index. php;
Fastcgi_param SCRIPT_FILENAME/scripts $ fastcgi_script_name;
Include fastcgi_params;
}
You can use the URI environment variable to select the request. The key variable SCRIPT_FILENAME passed to the backend Fastcgi is determined by $ fastcgi_script_name generated by nginx, through analysis, we can see that $ fastcgi_script_name is directly controlled by the URI environment variable. Here is the problem. To better support extraction of PATH_INFO, the cgi. fix_pathinfo option exists in the configuration options of PHP. The purpose is to extract the real script name from SCRIPT_FILENAME.
Assume that there is
You will get a URI
/80sec.jpg/80sec. php
After the location command, the request will be sent to the backend fastcgi for processing. nginx sets the environment variable SCRIPT_FILENAME for it. The content is
/Scripts/80sec.jpg/80sec. php
In other webservers such as lighttpd, we find that the SCRIPT_FILENAME is correctly set
/Scripts/80sec.jpg
This problem does not exist.
When the backend fastcgi receives this option, it determines whether to perform additional processing on SCRIPT_FILENAME Based on the fix_pathinfo configuration, in general, setting fix_pathinfo will affect the application that uses PATH_INFO for route selection. Therefore, this option is generally enabled. Php uses this option to search for the real script file name. The search method is to check whether the file exists. At this time, the SCRIPT_FILENAME and PATH_INFO are separated
/Scripts/80sec.jpg and 80sec. php
Finally, with/scripts/80sec.jpg as the script to be executed for this request, attackers can enable nginx to parse any types of files using php.
POC: compile an nginxto support the php site, and add/80sec. php to a resource file such as robots.txt. You can see the following differences at this time:
Http://www.80sec.com/robots.txt access
HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Thu, 20 May 2010 10:05:30 GMT
Content-Type: text/plain
Content-Length: 18
Last-Modified: Thu, 20 May 2010 06:26:34 GMT
Connection: keep-alive
Keep-Alive: timeout = 20
Accept-Ranges: bytes
Access http://www.80sec.com/robots.txt/80sec.php
HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Thu, 20 May 2010 10:06:49 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout = 20
X-Powered-By: PHP/5.2.6
The change in Content-Type indicates the change in backend Resolution, and the site may have a vulnerability.
Vulnerability vendor: http://www.nginx.org
Solution:
We have tried to contact the official website, but you can reduce the loss through the following methods:
Disable cgi. fix_pathinfo to 0
Or
If ($ fastcgi_script_name ~ \ .. * \/. * Php ){
Return 403;
}