nginx+cgi to parse php is prone to a vulnerability analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201235854
Type myhack58
Reporter 佚名
Modified 2012-12-01T00:00:00


The title is a bit large, when we analyze carefully after, in fact, are generally configuration issues.

If someone wants to attack the server, it will scan the machine where there is vulnerability can upload a malicious script file, the upload script is the first step,

When a malicious php script is uploaded to the server(its suffix may be php, may also be disguised as a jpg or other suffix),

If the script can be parsed to perform, that think the attacker can do whatever they want.

That from the source up to avoid this problem can be from the following aspects to start:

  1. Before upload it should determine the file is not a php script file, if it is not allowed to upload(including camouflage suffix).

  2. After the upload you should upload the attachment file separately in a server, the machine only do a static analysis, you don't have a problem.

The first article requires written procedures to ensure that, to say nothing of the most simple to determine the file suffix to a file determine the file type, or complex, we can go online to find.

The second strip solution may hinder the limited resources, it is not good to do. What if not only one machine, then, is not only a human platter., I fish.

In fact also can be configured from up to avoid,

Ban ngingx parses the Upload Directory of the php file.

location ~ ^/upload/.\. (php|php5)($|/)


deny all;


Avoid camouflage other suffix of the script execution

For example: by some means upload the disguised file, the upload 下 存在 一 个 伪装 成 图片 的 php 脚本 a.jpg,

Then when using the http://www. nginx. cn/upload/a. jpg/b. php access,

If you do not do special settings passed to the CGI execution SCRIPT_FILENAME is$root/upload/a.jpg/b.php

When setting up the cgi. fix_pathinfo = 1, The PHP would have to'/'as the delimiter from the last file to begin the forward looking for the presence of the file to execute.



Final masquerade script will be executed.


  1. Turn off cgi. fix_pathinfo is set to cgi. fix_pathinfo = 0, but will affect the use of PATH_INFO to rewrite the program.


The code is as follows:

location ~ .\. php($|/)


if ($request_filename ~ (.)\. php) {

set $php_url $1;


if (!- e $php_url.php) {

return 4 0 3;