Nginx file type error Parsing Vulnerability 0-day severe webshellnginx Vulnerability
Source: Internet
Author: User
Nginx file type error Parsing Vulnerability 0-day severe webshellnginx vulnerability introduction:
NginxIt is a high-performance web server that is widely used. It is not only often used as a reverse proxy, but also can be well supported.
PHP. 80sec finds that there is a serious security problem. By default, it may cause the server to incorrectly parse any types of files in PHP mode, which will lead to serious security problems, attackers may be attacked.
Php.
Vulnerability Analysis: nginx supports php running in cgi Mode by default. For example, in the configuration file
You can use the URI environment variable to select the request. The key variable SCRIPT_FILENAME passed to the backend Fastcgi is determined by $ fastcgi_script_name generated by nginx, through analysis, we can see that $ fastcgi_script_name is directly controlled by the URI environment variable. Here is the problem. To better support extraction of PATH_INFO, the cgi. fix_pathinfo option exists in the configuration options of PHP. The purpose is to extract the real script name from SCRIPT_FILENAME.
Assume that there is an http://www.80sec.com/80sec.jpg.
Http://www.80sec.com/80sec.jpg/80sec.php
You will get a URI
/80sec.jpg/80sec. php
After the location command, the request will be sent to the backend fastcgi for processing. nginx sets the environment variable SCRIPT_FILENAME for it. The content is
/Scripts/80sec.jpg/80sec. php
Other webservers such as lig
HttpdWe found that the SCRIPT_FILENAME is correctly set
/Scripts/80sec.jpg
This problem does not exist.
When the backend fastcgi receives this option, it determines whether to perform additional processing on SCRIPT_FILENAME Based on the fix_pathinfo configuration, in general, setting fix_pathinfo will affect the application that uses PATH_INFO for route selection. Therefore, this option is generally enabled. Php uses this option to search for the real script file name. The search method is to check whether the file exists. At this time, the SCRIPT_FILENAME and PATH_INFO are separated
/Scripts/80sec.jpg and 80sec. php
Finally, with/scripts/80sec.jpg as the script to be executed for this request, attackers can enable nginx to parse any types of files using php.
POC: compile an nginxto support the php site, and add/80sec. php to a resource file such as robots.txt. You can see the following differences at this time:
Http://www.80sec.com/robots.txt access
HTTP/1.1 200 OK Server: nginx/0.6.32 Date: Thu, 20 May 2010 10:05:30 GMT Content-Type: text/plain Content-Length: 18 Last-ModifiEd: Thu, 20 May 2010 06:26:34 GMT Connection: keep-alive Keep-Alive:TimeOut = 20 Accept-Ranges: bytes
The change in Content-Type indicates the change in backend Resolution, and the site may have a vulnerability.
NginxVulnerability vendor: http://www.nginx.org
Solution:
We have tried to contact the official website, but you can reduce the loss through the following methods:
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
