Press "Enter" to skip to content

Nginx + PHP CGI的一个可能的安全漏洞

现在普遍的Nginx + PHP cgi的做法是在配置文件中, 通过正则匹配(Nginx(PHP/fastcgi)的PATH_INFO问题)设置SCRIPT_FILENAME, 今天小顿发现了一个这种方式的安全漏洞.

比如, 有http://www.laruence.com/fake.jpg, 那么通过构造如下的URL, 就可以看到fake.jpg的二进制内容:

http://www.laruence.com/fake.jpg/foo.php

为什么会这样呢?

比如, 如下的nginx conf:

location ~ \.php($|/) {
	fastcgi_pass   127.0.0.1:9000;
	fastcgi_index  index.php;

	set $script    $uri;
	set $path_info "";
	if ($uri ~ "^(.+\.php)(/.*)") {
		set  $script     $1;
		set  $path_info  $2;
	}

	include       fastcgi_params;
	fastcgi_param SCRIPT_FILENAME   $document_root$script;
	fastcgi_param SCRIPT_NAME       $script;
	fastcgi_param PATH_INFO         $path_info;
}

通过正则匹配以后, SCRIPT_NAME会被设置为”fake.jpg/foo.php”, 继而构造成SCRIPT_FILENAME传递个PHP CGI, 但是PHP又为什么会接受这样的参数, 并且把a.jpg解析呢?

这就要说到PHP的cgi SAPI中的参数, fix_pathinfo了:

; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI.  PHP's
; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok
; what PATH_INFO is.  For more information on PATH_INFO, see the cgi specs.  Setting
; this to 1 will cause PHP CGI to fix it's paths to conform to the spec.  A setting
; of zero causes PHP to behave as before.  Default is 1.  You should fix your scripts
; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.
cgi.fix_pathinfo=1

如果开启了这个选项, 那么就会触发在PHP中的如下逻辑:

/*
 * if the file doesn't exist, try to extract PATH_INFO out
 * of it by stat'ing back through the '/'
 * this fixes url's like /info.php/test
 */
if (script_path_translated &&
	(script_path_translated_len = strlen(script_path_translated)) > 0 &&
	(script_path_translated[script_path_translated_len-1] == '/' ||
....//以下省略.

到这里, PHP会认为SCRIPT_FILENAME是fake.jpg, 而foo.php是PATH_INFO, 然后PHP就把fake.jpg当作一个PHP文件来解释执行… So…

这个隐患的危害用小顿的话来说, 是巨大的.

对于一些论坛来说, 如果上传一个图片(实际上是恶意的PHP脚本), 继而构造这样的访问请求…

所以, 大家如果有用这种服务器搭配的, 请排查, 如果有隐患, 请关闭fix_pathinfo(默认是开启的).

详细漏洞信息, 请移步小顿的BLOG: 80Sec

另: 我认为这个和Nginx没啥关系, 不属于Nginx的漏洞. 是配置的问题, 现在到处都在说是Nginx的Bug, 不妥不妥.

126 Comments

  1. […] 能做到这种PATH_INFO有两种方式,一种是使用php自带的cgi.fix_pathinfo,需要把这个配置打开,当然这里可能会有漏洞,请参照(Nginx + PHP CGI的一个可能的安全漏洞)。我这里讲述的是另外一种方案,即使用nginx自己的正则过滤机制,模拟需要的情况。 […]

  2. […] 如果路径不是真实存在,就rewrite到index.php脚本。据说这种方法需要pathinfo所以有一点性能问题,而且有一个安全问题,还没时间研究。 location / { if (!-e $request_filename){ rewrite ^/(.*) /index.php last; } } […]

  3. seo Stevenage
    seo Stevenage 2014-07-29

    Hi! I knhow this is kinda off topic but I was wondering which blog platform are you using for this site?

    I’m getting tired of WordPress because I’ve had problems with hackers and I’m looking at alternatives for another platform.
    I would be fantastic if you could point me in the direction of a good platform.

    Here is my web page seo Stevenage

  4. I almost never drop remarks, but i did some searching and wound up here Nginx +
    PHP CGI的一个可能的安全漏洞 | 风雪之隅.

    And I do have some questions for you if you tend not to mind.

    Is it just me or does it look as if like a few of these comments come across like they
    are written by brain dead visitors? 😛 And,
    if you are posting on other online social sites, I would like to follow everything fresh you have to
    post. Could you make a list of all of all your shared
    pages like your Facebook page, twitter feed, or linkedin profile?

  5. grosse
    grosse 2014-05-14

    Les posts sont effectivement plaisants

  6. Jasa SEO
    Jasa SEO 2013-07-22

    Woah! I’m really enjoying the template/theme of this website. It’s
    simple, yet effective. A lot of times it’s challenging to get that “perfect balance” between user friendliness and visual appearance. I must say that you’ve done a awesome
    job with this. Additionally, the blog loads very
    quick for me on Chrome. Outstanding Blog!

  7. Jasa SEO
    Jasa SEO 2013-07-15

    Greetings! Very useful advice within this post!
    It’s the little changes that make the greatest changes. Thanks for sharing!

  8. […] 最近发现的一个安全漏洞(Nginx + PHP CGI的一个可能的安全漏洞)和这个配置有关系, 请大家务必在使用第二种配置的时候,关闭cgi.fix_pathinfo. […]

  9. Anonymous
    Anonymous 2011-09-13

    我试了,我的nginx/0.7.67版本没有这个问题

  10. […] [1]http://hi.baidu.com/yuange1975/blog/item/4c223031a6727eaf5edf0e46.html [2]http://www.laruence.com/2010/05/20/1495.html This was written by admin. Posted on Friday, May 21, 2010, at 12:51 pm. Filed under Exploit. […]

  11. DADSA
    DADSA 2011-03-22

    DASASDSA

  12. hosting
    hosting 2011-03-21

    This is awsome water text effect :())

  13. film izle
    film izle 2010-09-28

    thanks you , All are nice t-shirts the color combination is good.

  14. Anonymous
    Anonymous 2010-09-07

    if ($request_filename ~* (.*)\\.php) {
    set $php_url $1;
    }
    if (!-e $php_url.php) {
    return 403;
    }

    blog:blog.sina.com.cn/harleychen

  15. SerranoMaritza33
    SerranoMaritza33 2010-07-27

    Following my own exploration, thousands of persons on our planet receive the personal loans from good banks. Therefore, there’s great possibilities to receive a car loan in all countries.

  16. Bander
    Bander 2010-06-21

    弱弱问一句:关闭cgi.fix_pathinfo为0 可否解决噢?

Leave a Reply

Your email address will not be published. Required fields are marked *