<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#ffffff">
<br>
<blockquote cite="mid:1282930243.2053.14.camel@portable-evil"
type="cite">
<pre wrap="">I think the best course of action is to get Ed's explanation of the
issue onto the wiki, add a link from each and every PHP config back to
it along with a request that someone who actually uses that config to
verify that it is not vulnerable (or apply a fix if it is) and update
the wiki. If we can't get that to happen then we deserve what we get.
</pre>
</blockquote>
<br>
Can we push first for a generic config that everyone can start
from? I think Maxim Dounin's response a few moments ago now covers
the key areas:<br>
<br>
Single script, enable only that single script:<br>
<br>
location = /blah/script.php {<br>
include /etc/nginx/fastcgi_params;<br>
fastcgi_pass localhost:9000;<br>
}<br>
<br>
<br>
<pre wrap="">Exclude single dir, everything else executable:
</pre>
<pre wrap=""> location ^~ <i class="moz-txt-slash"><span class="moz-txt-tag">/</span>images<span class="moz-txt-tag">/</span></i> {
# just handle as static, don't consult regexps
}
location ~ \.php$ {
fastcgi_pass ...
}
</pre>
<br>
<br>
<pre wrap="">Or, alternatively (and much more clear, but may have problems
in older nginx versions), use inclusive/nested locations:
location / {
...
location ~ \.php$ {
fastcgi_pass ...
}
}
location <i class="moz-txt-slash"><span class="moz-txt-tag">/</span>images<span class="moz-txt-tag">/</span></i> {
# just handle as static
}
I don't really understand all the aspects of Brian Mercer's response - perhaps someone can meld the best bits into the above:
location ~ .*<i class="moz-txt-slash"><span class="moz-txt-tag">/</span>files<span class="moz-txt-tag">/</span></i>.* {
try_files $uri =404 # or index.php?q=$uri or @drupal depending on your config
}
There may be additional aspects that we haven't considered given the generic fastcgi_params script and other CGI implementations? Anyone know of obvious abuses of "../" or any SSI type features?
Note we haven't addressed path_info with the above solution. I'm ignorant enough that I still think it's not a problem assuming you avoid executing scripts in untrusted file locations, but perhaps someone can show that we need to add that to the generic solution also?
Please improve and fully quote suggestions on the above so that we can cut and paste into the wiki
Thanks
Ed W
</pre>
</body>
</html>