Press "Enter" to skip to content

Nginx + PHP CGI的一个可能的安全漏洞

现在普遍的Nginx + PHP cgi的做法是在配置文件中, 通过正则匹配(Nginx(PHP/fastcgi)的PATH_INFO问题)设置SCRIPT_FILENAME, 今天小顿发现了一个这种方式的安全漏洞.

比如, 有http://www.laruence.com/fake.jpg, 那么通过构造如下的URL, 就可以看到fake.jpg的二进制内容:

http://www.laruence.com/fake.jpg/foo.php

为什么会这样呢?

比如, 如下的nginx conf:

location ~ \.php($|/) {
	fastcgi_pass   127.0.0.1:9000;
	fastcgi_index  index.php;

	set $script    $uri;
	set $path_info "";
	if ($uri ~ "^(.+\.php)(/.*)") {
		set  $script     $1;
		set  $path_info  $2;
	}

	include       fastcgi_params;
	fastcgi_param SCRIPT_FILENAME   $document_root$script;
	fastcgi_param SCRIPT_NAME       $script;
	fastcgi_param PATH_INFO         $path_info;
}

通过正则匹配以后, SCRIPT_NAME会被设置为”fake.jpg/foo.php”, 继而构造成SCRIPT_FILENAME传递个PHP CGI, 但是PHP又为什么会接受这样的参数, 并且把a.jpg解析呢?

这就要说到PHP的cgi SAPI中的参数, fix_pathinfo了:

; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI.  PHP's
; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok
; what PATH_INFO is.  For more information on PATH_INFO, see the cgi specs.  Setting
; this to 1 will cause PHP CGI to fix it's paths to conform to the spec.  A setting
; of zero causes PHP to behave as before.  Default is 1.  You should fix your scripts
; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.
cgi.fix_pathinfo=1

如果开启了这个选项, 那么就会触发在PHP中的如下逻辑:

/*
 * if the file doesn't exist, try to extract PATH_INFO out
 * of it by stat'ing back through the '/'
 * this fixes url's like /info.php/test
 */
if (script_path_translated &&
	(script_path_translated_len = strlen(script_path_translated)) > 0 &&
	(script_path_translated[script_path_translated_len-1] == '/' ||
....//以下省略.

到这里, PHP会认为SCRIPT_FILENAME是fake.jpg, 而foo.php是PATH_INFO, 然后PHP就把fake.jpg当作一个PHP文件来解释执行… So…

这个隐患的危害用小顿的话来说, 是巨大的.

对于一些论坛来说, 如果上传一个图片(实际上是恶意的PHP脚本), 继而构造这样的访问请求…

所以, 大家如果有用这种服务器搭配的, 请排查, 如果有隐患, 请关闭fix_pathinfo(默认是开启的).

详细漏洞信息, 请移步小顿的BLOG: 80Sec

另: 我认为这个和Nginx没啥关系, 不属于Nginx的漏洞. 是配置的问题, 现在到处都在说是Nginx的Bug, 不妥不妥.

133 Comments

  1. jasa renovasi rumah
    jasa renovasi rumah 2018-11-30

    sealing for a minimum of 3 days straight. Grids last for at least 30days or longer depending on if you mai

  2. Yunia
    Yunia 2018-10-28

    Amazing for beginner concepts and how to utilize these for videos on your site.

  3. pijat purwokerto
    pijat purwokerto 2018-10-28

    Amazing for beginner SEO concepts and how to utilize these for videos on your site.

  4. Prabowo subianto
    Prabowo subianto 2018-09-22

    correctly in Explorer but looks great in Chrome.
    Do you have any ideas to help fix this issue?

  5. If you like your software packaged, Microsoft may soon have another alternative for you — and one that doesn’t force you to pretend you’re still a student.

  6. darron
    darron 2018-07-17

    您好,文章第一行,“通过正则匹配(Nginx(PHP/fastcgi)的PATH_INFO问题)”的跳转链接配错了。

    看了您两篇文章后,得出的结论就是处理PATH_INFO有两种方法:
    1. PHP来处理,但还是要nginx支持,需要配一个参数:
    fastcgi_param PATH_INFO $fastcgi_script_name;
    (虽然不知道为什么。。。)

    2. nginx来处理,但是需要把php的cgi.fix_pathinfo设置为0

  7. Figyelem: A kérelmet nem sikerült megfelelően feldolgozni. Az érvényesítési kód érvénytelen.

  8. belen
    belen 2018-03-02

    真是太感谢了,解答了我一直纠结的问题,之前见过的某网站应该就是这样中招的

  9. 誠実★信用★顧客は至上
    当社の商品は絶対の自信が御座います
    商品数も大幅に増え、品質も大自信です
    品質がよい 価格が低い 実物写真 品質を重視
    正規品と同等品質のコピー品を低価でお客様に提供します
    ご注文を期待しています!

  10. nerf images we
    nerf images we 2016-02-15

    There could be some toys that are not waterproof,
    so you can wash these with wet cloth and detergent.
    Provide him with something to get on plus a few safe chew
    toys for chewing. Which is the best nerf images we gun There are
    many toys for example Smurfs and shining knights etc.

    There isn’t any doubt that educational toys are employed in schools to great effect.
    Outside of your home, toy storage boxes, chests and
    benches give a wealth of possibilities for establishments, like daycares and preschools.

  11. madu hutan asli
    madu hutan asli 2015-08-05

    What’s up colleagues, how is everything, and what you wish
    for to say about this article, in my view
    its actually amazing in favor of me.

  12. I’m really loving the theme/design of your weblog.
    Do you ever run into any browser compatibility problems? A few of
    my blog readers have complained about my site not operating
    correctly in Explorer but looks great in Chrome.
    Do you have any ideas to help fix this issue?

Leave a Reply

Your email address will not be published. Required fields are marked *