nginx File Type Error parsing vulnerability-vulnerability warning-the black bar safety net

2010-06-12T00:00:00
ID MYHACK58:62201027172
Type myhack58
Reporter 佚名
Modified 2010-06-12T00:00:00

Description

Vulnerability description: nginx is a high-performancethe web server, the use is very extensive, which not only is often used as a reverse proxy, it can also be very good support

Support PHP to run. 80sec found there is a more serious security issues, by default could lead to a server error of the

Any type of file to PHP way of parsing, this will cause serious security issues, so that a malicious attacker may capture support

php the nginx Server. Vulnerability analysis: nginx default to cgi to support php to run, such as in a configuration file which can be location ~ \. php$ { root html; fastcgi_pass 127.0.0.1:9 0 0 0; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; include fastcgi_params; } Support for php parsing, the location of the request is selected when using the URI environment variable to be selected, wherein the transmitting

To the back-end Fastcgi key variables SCRIPT_FILENAME by nginx generated$fastcgi_script_name decision, and through the analysis of

You can see the$fastcgi_script_name is directly by the URI environment variable control, and here is the problem point. And in order to better

Support for PATH_INFO to extract, in PHP configuration options in the presence of cgi. fix_pathinfo option, its purpose is to from

SCRIPT_FILENAME remove the real script name. Then assuming the existence of ahttp://www.0daynet.com/0daynet.jpg, we in the following way to access

http://www.0daynet.com/0daynet.jpg/0daynet.php

Will get a URI

/0daynet.jpg/0daynet.php

After a location Directive, the request will be handed over to the backend fastcgi process, nginx to set the environment variable SCRIPT_FILENAME

For

/scripts/0daynet.jpg/0daynet.php

In other webserver such as lighttpd, we found that the SCRIPT_FILENAME is the correct setting for

/scripts/0daynet.jpg

So there is no this problem. After the end of the fastcgi accept to the option, will be based on fix_pathinfo configuration determines whether the SCRIPT_FILENAME for additional

Processing, in General if not fix_pathinfo is set will affect the use PATH_INFO for routing applications, the

To the option in General configuration to open. Php by the option will find where the real script the file name, find the way is also the view

Whether the file exists, this time will be separated SCRIPT_FILENAME and PATH_INFO are for

/scripts/0daynet.jpg 和 0daynet.php

Finally, in the/scripts/0daynet. jpg as this request requires the execution of the script, the attacker can achieve get nginx to php to

Parse any type of file.

POC: accessing an nginx to support php site, in one of any resource files, such as robots. txt back plus

上 /0daynet.php this time you can see the following difference:

Accesshttp://www.0daynet.com/robots.txt

HTTP/1.1 2 0 0 OK Server: nginx/0.6.32 Date: Thu, 2 0 May 2 0 1 0 1 0:0 5:3 0 GMT Content-Type: text/plain Content-Length: 1 8 Last-Modified: Thu, 2 0 May 2 0 1 0 0 6:2 6:3 4 GMT Connection: keep-alive Keep-Alive: timeout=2 0 Accept-Ranges: bytes

Access accesshttp://www.0daynet.com/robots.txt/0daynet.php

HTTP/1.1 2 0 0 OK Server: nginx/0.6.32 Date: Thu, 2 0 May 2 0 1 0 1 0:0 6:4 9 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Keep-Alive: timeout=2 0 X-Powered-By: PHP/5.2.6

Wherein the Content-Type of the change description of the back-end is responsible for parsing the changes, the site may present vulnerabilities.

Vulnerability manufacturers: http://www.nginx.org

Solution:

We have tried to contact the official, but the earlier you can through the following way to reduce the loss

Turn off cgi. fix_pathinfo to 0

Or

if ( $fastcgi_script_name ~ \..\/. php ) { return 4 0 3; }

PS: special thanks laruence large cattle in the analysis process to help