Nginx Settings Cgi.fix_pathinfo Vulnerability and workaround

Recently in learning Nginx configuration, there is a setup need to php.ini in the Cgi.fix_pathinfo = 1 To change to cgi.fix_pathinfo=0, want to understand the specific function of this parameter setting, so Baidu down, found here there is a PHP path_ The vulnerability of info
(see: Https://bugs.php.net/bug.php?id=50852&edit=1) General understanding of the next.

the vulnerability Analysislocation selects the request using a URI environment variable, which is passed to the back-end fastcgi key variable script_filename generated by Nginx $fastcgi_script_ Name, and through the analysis you can see that the $fastcgi_script_name is directly controlled by the URI environment variable, and here is the point where the problem arises. In order to better support the extraction of path_info, there is a cgi.fix_pathinfo option in the PHP configuration option, which is intended to remove the real script name from the Script_filename.

"vulnerability Scenario" in http://xiumu.blog.51cto.com/upload a normal picture helloworld.jpg, can access, if we make a PHP Webshell named hacker.php, copy named Hacker.jpg, if the normal upload, then the next step is to consider how hacker.jpg as hacker.php to execute. If the http://xiumu.blog.51cto.com/hacker.jpg/abc.php is executed in a secure situation, then the URL will be separated into

Directory "www\hacker.jpg\" and File "abc.php",

However, if there is a PHP path_info vulnerability will be "hacker.jpg/abc.php", after the location instruction, the request will be given to the backend fastcgi processing, Nginx set the environment variable script_filename, the content is "/scripts/hacker.jpg/abc.php", the back end of fastcgi when this option is accepted, the Fix_pathinfo configuration determines whether additional processing is performed on the script_filename, generally if the fix_ is not PathInfo settings will affect apps that use path_info for routing, so this option is generally configured to turn on. PHP through this option will find the real script file name, look for the way to see if the file exists, this time will be separated out script_filename and Path_info respectively

/scripts/hacker.jpg and abc.php

Finally, with/scripts/hacker.jpg as the script to be executed for this request, an attacker could enable nginx to parse any type of file in PHP.

But later found that it caused PHP's hyper-global variable $_server[' php_self ' is empty so some programs will be wrong (such as discuz will be stitching up the wrong picture avatar Path).

"Workaround"

Method One: Modify PHP.ini, set cgi.fix_pathinfo = 0, and then restart php-cgi. This modification affects applications that use Path_info pseudo-static, for example: http://xiumu.blog.51cto.com/520.html cannot be accessed.

Method Two: After the Nginx configuration file to add the following content restart: if ($fastcgi _script_name ~ \. *\/.*php) {return 403;}. This match affects access to similar http://xiumu.blog.51cto.com/5.0/helloworld.php.

Method Three:

----------code originates from a network----------

if ($request _filename ~* (. *) \.php) {
Set $php _url $;
}
if (!-e $php _url.php) {
return 403;
}

Fastcgi_param Gateway_interface cgi/1.1;
Fastcgi_param Server_software Nginx;

Fastcgi_param query_string $query _string;
Fastcgi_param Request_method $request _method;
Fastcgi_param Content_Type $content _type;
Fastcgi_param content_length $content _length;

Fastcgi_param script_filename $document _root$fastcgi_script_name;
Fastcgi_param Script_name $uri;
Fastcgi_param Request_uri $request _uri;
Fastcgi_param Document_uri $document _uri;
Fastcgi_param document_root $document _root;
Fastcgi_param server_protocol $server _protocol;

Fastcgi_param remote_addr $remote _addr;
Fastcgi_param Remote_port $remote _port;
Fastcgi_param server_addr $server _addr;
Fastcgi_param server_port $server _port;
Fastcgi_param server_name $server _name;

# PHP only, required if PHP is built with--enable-force-cgi-redirect
Fastcgi_param Redirect_status 200;

----------End----------

Create a new name: Fastcgi.conf, save the above contents, and do the following settings in Localtion:

----------code originates from a network----------

Location ~*. *\.php ($|/)
{
if ($request _filename ~* (. *) \.php) {
Set $php _url $; #请根据实际情况设置
}
if (!-e $php _url.php) {
return 403;
}

Fastcgi_pass 127.0.0.1:9000;
Fastcgi_index index.php;
Include fcgi.conf;
}

----------End----------

Reference website:

"Nginx file type Error parsing vulnerability" http://www.80sec.com/nginx-securit.html#more-163

"Provide a solution to the Nginx file type error parsing vulnerability" http://zyan.cc/nginx_0day/

This article is from the "Deadwood Self-Carving" blog, please be sure to keep this source http://xiumu.blog.51cto.com/311602/1722974

Nginx Settings Cgi.fix_pathinfo Vulnerability and workaround