Use FastCGI in PHP to Parse Vulnerabilities and fix them _ php instances

Source: Internet
Author: User
This article describes how to use FastCGI in PHP to Parse Vulnerabilities and fix the vulnerabilities. For more information, see Vulnerability description:

Nginx supports PHP parsing in CGI Mode by default. The common practice is to set SCRIPT_FILENAME through regular expression matching in the Nginx configuration file. When you access the URL http: // 192.168.1.102/phpinfo.jpg/1.php, $fastcgi_script_namewill be set to “phpinfo.jpg/1. php "and constructed as SCRIPT_FILENAME and passed to php cgi. Pipeline is parsed as the PHP file.

Hazards:

Improper configuration of WebServer Fastcgi may cause other files (such as css, js, jpg and other static files) to be parsed and executed as php scripts. When a user uploads a malicious script webshell to a static file and passes it to the backend php for parsing and execution, attackers can gain operation permissions on the server.

Solution:

(For Nginx users, you can select solution 1 or solution 2. For IIS users, use solution 1)

Solution 1: Modify the php. ini file and set cgi. fix_pathinfo to 0. Restart PHP and NGINX (IIS ).

Solution 2: Add the following code to the Nginx configuration file:

The Code is as follows:


If ($ fastcgi_script_name ~ \ .. * \/. * Php ){
Return 403;
}

This line of code is equivalent to the 403 error code when the URL of test.jpg/a. php is matched. Restart Nginx after modification.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.