

Avoiding Arbitrary Code Execution with nginx and php-fastcgi - nbpoole
https://nealpoole.com/blog/2011/04/setting-up-php-fastcgi-and-nginx-dont-trust-the-tutorials-check-your-configuration/

======
pilif
This is another reason why it was a good idea to have my big application
consist of only one public file which can easily be whitelisted. Everything
else lives outside the web root and is never directly executed.

    
    
        location ~ ^/index\.php {
            proxy_pass   http://localhost:8080;
        }
    

Everything else in the web root is static files and can be served directly.
The rest of the application uses an URL routing scheme based on PATH_INFO

~~~
ichilton
I use something similar but a bit simpler to read:

    
    
      location = /index.php {
        fastcgi_pass 127.0.0.1:9000;
      }

------
acabal
Wow, am I glad I caught this link--I'm just now switching my servers from
Apache to Nginx/php-fastcgi, configured more or less just like the article
says...

I decided to switch to Nginx for the fabled performance benefits and
relatively simple configuration. But this now makes me wonder what other
gotchas there are in store for me... I have a long history with Apache, maybe
I should just stick with it after all...

~~~
d_r
Articles like this is exactly why I come to HN.

I was planning to move my server from Apache to Nginx soon. I suppose it's as
a good time as ever to learn any gotchas.

------
kitcar
Was totally unaware of this issue in Nginx/PHP-FPM - going to check my conf
files now!

UPDATE: Here's the thread on this issue right from NGINX.org
<http://forum.nginx.org/read.php?2,88845,page=3>

~~~
nbpoole
Yup, that was the first page I found too: it's also the first result for "php
nginx 0 day." I link to it a couple times in the post. :)

------
tszming
In fact, this is well documented:
[http://wiki.nginx.org/Pitfalls#Passing_Every_.7E_.5C.php.24_...](http://wiki.nginx.org/Pitfalls#Passing_Every_.7E_.5C.php.24_request_to_to_PHP)

------
Joakal
For strong security (especially for frameworks like CodeIgniter):

location = /index.php { proxy_pass <http://localhost:8080>; }

It only runs exactly index.php in the root.

------
calloc
Does this same issue exist within Lighttpd with a FastCGI setup?

~~~
nbpoole
I don't see any reason why it wouldn't. I do plan to test that later today
though.

~~~
nbpoole
Tested with the suggested configuration from the lighttpd wiki. I could not
replicate the issue, which is strange.

------
CWIZO
Is this PHP-FastCGI specific, or is PHP-FPM affected too?

~~~
jacques_chester
PHP-FPM _is_ FastCGI, with a process manager thrown in.

~~~
CWIZO
Oh, I'm not a sys admin, so I wasn't sure :) Thanks.

