msgbartop
PHP语言, PHP扩展, Zend引擎相关的研究,技术,新闻分享 – 左手代码 右手诗
msgbarbottom

20 May 10 Nginx + PHP CGI的一个可能的安全漏洞

现在普遍的Nginx + PHP cgi的做法是在配置文件中, 通过正则匹配(Nginx(PHP/fastcgi)的PATH_INFO问题)设置SCRIPT_FILENAME, 今天小顿发现了一个这种方式的安全漏洞.

比如, 有http://www.laruence.com/fake.jpg, 那么通过构造如下的URL, 就可以看到fake.jpg的二进制内容:


http://www.laruence.com/fake.jpg/foo.php

为什么会这样呢?

比如, 如下的nginx conf:

location ~ \.php($|/) {
	fastcgi_pass   127.0.0.1:9000;
	fastcgi_index  index.php;

	set $script    $uri;
	set $path_info "";
	if ($uri ~ "^(.+\.php)(/.*)") {
		set  $script     $1;
		set  $path_info  $2;
	}

	include       fastcgi_params;
	fastcgi_param SCRIPT_FILENAME   $document_root$script;
	fastcgi_param SCRIPT_NAME       $script;
	fastcgi_param PATH_INFO         $path_info;
}

通过正则匹配以后, SCRIPT_NAME会被设置为”fake.jpg/foo.php”, 继而构造成SCRIPT_FILENAME传递个PHP CGI, 但是PHP又为什么会接受这样的参数, 并且把a.jpg解析呢?

这就要说到PHP的cgi SAPI中的参数, fix_pathinfo了:

; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI.  PHP's
; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok
; what PATH_INFO is.  For more information on PATH_INFO, see the cgi specs.  Setting
; this to 1 will cause PHP CGI to fix it's paths to conform to the spec.  A setting
; of zero causes PHP to behave as before.  Default is 1.  You should fix your scripts
; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.
cgi.fix_pathinfo=1

如果开启了这个选项, 那么就会触发在PHP中的如下逻辑:

/*
 * if the file doesn't exist, try to extract PATH_INFO out
 * of it by stat'ing back through the '/'
 * this fixes url's like /info.php/test
 */
if (script_path_translated &&
	(script_path_translated_len = strlen(script_path_translated)) > 0 &&
	(script_path_translated[script_path_translated_len-1] == '/' ||
....//以下省略.

到这里, PHP会认为SCRIPT_FILENAME是fake.jpg, 而foo.php是PATH_INFO, 然后PHP就把fake.jpg当作一个PHP文件来解释执行… So…

这个隐患的危害用小顿的话来说, 是巨大的.

对于一些论坛来说, 如果上传一个图片(实际上是恶意的PHP脚本), 继而构造这样的访问请求…

所以, 大家如果有用这种服务器搭配的, 请排查, 如果有隐患, 请关闭fix_pathinfo(默认是开启的).

详细漏洞信息, 请移步小顿的BLOG: 80Sec

另: 我认为这个和Nginx没啥关系, 不属于Nginx的漏洞. 是配置的问题, 现在到处都在说是Nginx的Bug, 不妥不妥.


分享到:



Related Posts:

Tags: , , ,

88 Responses to “Nginx + PHP CGI的一个可能的安全漏洞”

Pages: [2] 1 » Show All

  1. nerf images we |

    There could be some toys that are not waterproof,
    so you can wash these with wet cloth and detergent.
    Provide him with something to get on plus a few safe chew
    toys for chewing. Which is the best nerf images we gun There are
    many toys for example Smurfs and shining knights etc.

    There isn’t any doubt that educational toys are employed in schools to great effect.
    Outside of your home, toy storage boxes, chests and
    benches give a wealth of possibilities for establishments, like daycares and preschools.

  2. madu hutan asli |

    What’s up colleagues, how is everything, and what you wish
    for to say about this article, in my view
    its actually amazing in favor of me.

  3. http://leqoran1obhp.blog.com/ |

    I’m really loving the theme/design of your weblog.
    Do you ever run into any browser compatibility problems? A few of
    my blog readers have complained about my site not operating
    correctly in Explorer but looks great in Chrome.
    Do you have any ideas to help fix this issue?

  4. Nginx工作原理和优化、漏洞 | 奔跑吧.少年! |

    [...] PS: 鸣谢laruence大牛在分析过程中给的帮助 [...]

  5. Nginx工作原理和优化、漏洞。 – 运维部落 |

    [...] PS: 鸣谢laruence大牛在分析过程中给的帮助 [...]

  6. nginx文件类型错误解析漏洞 | 一世浮华一场空 |

    [...] PS: 鸣谢laruence大牛在分析过程中给的帮助。 [...]

  7. 配置nginx支持thinkphp的path_info模式 | kk |

    [...] 能做到这种PATH_INFO有两种方式,一种是使用php自带的cgi.fix_pathinfo,需要把这个配置打开,当然这里可能会有漏洞,请参照(Nginx + PHP CGI的一个可能的安全漏洞)。我这里讲述的是另外一种方案,即使用nginx自己的正则过滤机制,模拟需要的情况。 [...]

  8. 风雪之隅-鸟哥文章汇总 | 互联网菜鸟 |

    [...] 20 May 10 Nginx + PHP CGI的一个可能的安全漏洞 [...]

  9. » Nginx配置文件解析 狗 |

    [...] 如果路径不是真实存在,就rewrite到index.php脚本。据说这种方法需要pathinfo所以有一点性能问题,而且有一个安全问题,还没时间研究。 location / { if (!-e $request_filename){ rewrite ^/(.*) /index.php last; } } [...]

  10. seo Stevenage |

    Hi! I knhow this is kinda off topic but I was wondering which blog platform are you using for this site?

    I’m getting tired of WordPress because I’ve had problems with hackers and I’m looking at alternatives for another platform.
    I would be fantastic if you could point me in the direction of a good platform.

    Here is my web page seo Stevenage

  11. tapineuse éjaculation sur le visage |

    Puis-je prendre plusieurs paragraphes sur un blog perso ?

  12. film vraiment troublant avec une bonne masturbation |

    Magnifique post pour ne pas changer

  13. jual madu hutan asli |

    I almost never drop remarks, but i did some searching and wound up here Nginx +
    PHP CGI的一个可能的安全漏洞 | 风雪之隅.

    And I do have some questions for you if you tend not to mind.

    Is it just me or does it look as if like a few of these comments come across like they
    are written by brain dead visitors? :-P And,
    if you are posting on other online social sites, I would like to follow everything fresh you have to
    post. Could you make a list of all of all your shared
    pages like your Facebook page, twitter feed, or linkedin profile?

  14. grosse |

    Les posts sont effectivement plaisants

  15. Jasa SEO |

    Woah! I’m really enjoying the template/theme of this website. It’s
    simple, yet effective. A lot of times it’s challenging to get that “perfect balance” between user friendliness and visual appearance. I must say that you’ve done a awesome
    job with this. Additionally, the blog loads very
    quick for me on Chrome. Outstanding Blog!

  16. Jasa SEO |

    Greetings! Very useful advice within this post!
    It’s the little changes that make the greatest changes. Thanks for sharing!

  17. Understand the cgi.fix_pathinfo security issue | kc's blog |

    [...] I read it correctly, the cgi.fix_pathinfo security issue was brought into discussion by laruence in late May 2010 that with SCRIPT_FILENAME set by greedy regexp capturing, PHP web application is [...]

  18. Nginx + PHP CGI的一个可能的安全漏洞 | 知道12 |

    [...] 本文地址: http://www.laruence.com/2010/05/20/1495.html [...]

  19. 转:Nginx + PHP CGI的一个可能的安全漏洞 « 徐核心的博客 |

    [...] 本文地址: http://www.laruence.com/2010/05/20/1495.html [...]

  20. Nginx(PHP/fastcgi)的PATH_INFO问题 » ijser |

    [...] 最近发现的一个安全漏洞(Nginx + PHP CGI的一个可能的安全漏洞)和这个配置有关系, 请大家务必在使用第二种配置的时候,关闭cgi.fix_pathinfo. [...]

  21. Anonymous |

    我试了,我的nginx/0.7.67版本没有这个问题

  22. nginx php fpm紧急漏洞修复!cgi.fix_pathinfo – www.ncun123.com博客 |

    [...] PS: 鸣谢laruence大牛在分析过程中给的帮助 [...]

  23. PATH_INFO是一个CGI 1.1的标准,经常用来做为传参载体. – www.ncun123.com博客 |

    [...] 最近发现的一个安全漏洞(Nginx + PHP CGI的一个可能的安全漏洞)和这个配置有关系, 请大家务必在使用第二种配置的时候,关闭cgi.fix_pathinfo. [...]

  24. nginx文件类型错误解析漏洞 | 一沙一世界 一花一天堂 |

    [...] 鸣谢laruence大 [...]

  25. Penetration Testing Lab › Nginx Security Law |

    [...] [1]http://hi.baidu.com/yuange1975/blog/item/4c223031a6727eaf5edf0e46.html [2]http://www.laruence.com/2010/05/20/1495.html This was written by admin. Posted on Friday, May 21, 2010, at 12:51 pm. Filed under Exploit. [...]

  26. nginx文件类型错误解析漏洞 | Seczone |

    [...] PS: 鸣谢laruence大牛在分析过程中给的帮助 [...]

  27. Wiki |

    Wiki is a very useful page.

  28. DADSA |

    DASASDSA

  29. hosting |

    This is awsome water text effect :( ))

  30. 搜索引擎优化 |

    试一下这代码,验证一下~

  31. Wholesale Caps |

    beautiful.we are waiting for you.

  32. Cheap Hats |

    it`s worth to try.

  33. youstar » 80后爆nginx 0day漏洞,测试可行~ |

    [...] Laruence:Nginx + PHP CGI的一个可能的安全漏洞:连接 [...]

  34. film izle |

    thanks you , All are nice t-shirts the color combination is good.

  35. new era hats |

    Hi,verybody,I will come again.

  36. Anonymous |

    if ($request_filename ~* (.*)\\.php) {
    set $php_url $1;
    }
    if (!-e $php_url.php) {
    return 403;
    }

    blog:blog.sina.com.cn/harleychen

  37. Trail's Blog » Nginx(PHP/fastcgi)的PATH_INFO问题 |

    [...] 最近发现的一个安全漏洞(Nginx + PHP CGI的一个可能的安全漏洞)和这个配置有关系, 请大家务必在使用第二种配置的时候,关闭cgi.fix_pathinfo. [...]

  38. SerranoMaritza33 |

    Following my own exploration, thousands of persons on our planet receive the personal loans from good banks. Therefore, there’s great possibilities to receive a car loan in all countries.

Pages: [2] 1 » Show All

Leave a Reply

*