nginx File Type Error parsing vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201027172
Type myhack58
Reporter 佚名
Modified 2010-06-12T00:00:00


Vulnerability description: nginx is a high-performancethe web server, the use is very extensive, which not only is often used as a reverse proxy, it can also be very good support

Support PHP to run. 80sec found there is a more serious security issues, by default could lead to a server error of the

Any type of file to PHP way of parsing, this will cause serious security issues, so that a malicious attacker may capture support

php the nginx Server. Vulnerability analysis: nginx default to cgi to support php to run, such as in a configuration file which can be location ~ \. php$ { root html; fastcgi_pass 0 0 0; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; include fastcgi_params; } Support for php parsing, the location of the request is selected when using the URI environment variable to be selected, wherein the transmitting

To the back-end Fastcgi key variables SCRIPT_FILENAME by nginx generated$fastcgi_script_name decision, and through the analysis of

You can see the$fastcgi_script_name is directly by the URI environment variable control, and here is the problem point. And in order to better

Support for PATH_INFO to extract, in PHP configuration options in the presence of cgi. fix_pathinfo option, its purpose is to from

SCRIPT_FILENAME remove the real script name. Then assuming the existence of a, we in the following way to access

Will get a URI


After a location Directive, the request will be handed over to the backend fastcgi process, nginx to set the environment variable SCRIPT_FILENAME



In other webserver such as lighttpd, we found that the SCRIPT_FILENAME is the correct setting for


So there is no this problem. After the end of the fastcgi accept to the option, will be based on fix_pathinfo configuration determines whether the SCRIPT_FILENAME for additional

Processing, in General if not fix_pathinfo is set will affect the use PATH_INFO for routing applications, the

To the option in General configuration to open. Php by the option will find where the real script the file name, find the way is also the view

Whether the file exists, this time will be separated SCRIPT_FILENAME and PATH_INFO are for

/scripts/0daynet.jpg 和 0daynet.php

Finally, in the/scripts/0daynet. jpg as this request requires the execution of the script, the attacker can achieve get nginx to php to

Parse any type of file.

POC: accessing an nginx to support php site, in one of any resource files, such as robots. txt back plus

上 /0daynet.php this time you can see the following difference:


HTTP/1.1 2 0 0 OK Server: nginx/0.6.32 Date: Thu, 2 0 May 2 0 1 0 1 0:0 5:3 0 GMT Content-Type: text/plain Content-Length: 1 8 Last-Modified: Thu, 2 0 May 2 0 1 0 0 6:2 6:3 4 GMT Connection: keep-alive Keep-Alive: timeout=2 0 Accept-Ranges: bytes

Access access

HTTP/1.1 2 0 0 OK Server: nginx/0.6.32 Date: Thu, 2 0 May 2 0 1 0 1 0:0 6:4 9 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Keep-Alive: timeout=2 0 X-Powered-By: PHP/5.2.6

Wherein the Content-Type of the change description of the back-end is responsible for parsing the changes, the site may present vulnerabilities.

Vulnerability manufacturers:


We have tried to contact the official, but the earlier you can through the following way to reduce the loss

Turn off cgi. fix_pathinfo to 0


if ( $fastcgi_script_name ~ \..\/. php ) { return 4 0 3; }

PS: special thanks laruence large cattle in the analysis process to help