2011年3月8日星期二

Re: Vulnerability in "Proxy Everything" (Wiki article Pitfalls)

On 8 Mar 2011 14h33 WET, nginx-forum@nginx.us wrote:

> Hi,
>
> I discovered a vulnerability in your best practice wiki article:
> http://wiki.nginx.org/Pitfalls#Proxy_Everything
>
> The configuration which is promoted as "good" doesn't work as
> intended:
>
> <<<>>>
> server {
> server_name _;
> root /var/www/site;
> location / {
> try_files $uri $uri/ @proxy;
> }
> location @proxy {
> include fastcgi_params;
> fastcgi_param SCRIPT_FILENAME
> $document_root$fastcgi_script_name;
> fastcgi_pass unix:/tmp/phpcgi.socket;
> }
> }
> <<<>>>
>
> try_files checks if a file exists and if it does, it is simply
> returned to the browser. This is a good thing for static files, but
> with this configuration PHP files are not parsed.
>
> <<<>>>
> $ curl -i http://foo.lan/info.php
> HTTP/1.1 200 OK
> Server: nginx/0.8.54
> Date: Tue, 08 Mar 2011 14:08:07 GMT
> Content-Type: application/octet-stream
> Content-Length: 20
> Last-Modified: Tue, 08 Mar 2011 13:05:32 GMT
> Connection: keep-alive
> Accept-Ranges: bytes
>
> <?php phpinfo(); ?>
> <<<>>>
>
> The configuration works, i.e. the PHP files are parsed, only in one
> case: If nginx believes the files does not exist (although it does)
> and handles the request to the FastCGI instance.
>
> <<<>>>
> C:\Users\Lukas>curl -i http://foo.lan/info.php/asdf
> HTTP/1.1 200 OK
> Server: nginx/0.8.54
> Date: Tue, 08 Mar 2011 14:21:17 GMT
> Content-Type: text/html
> Transfer-Encoding: chunked
> Connection: keep-alive
> X-Powered-By: PHP/5.3.5-1 <-------- This file was parsed by PHP as
> intended.
>
> [...]
> <<<>>>

That's a generic example. The pitfalls page is meant to warn you
against some inadvisable practices. It's not meant to be a config
recipe. You should always adapt your config to your application.

As a rule all PHP (or whatever language file) scripts should be
enumerated in the config, if possible with exact matchings, or if
using PATHINFO with the correct pattern.

Otherwise you're setting yourself up for getting p0wned.

--- appa


_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx

没有评论:

发表评论