Developer / Director at Instantiate
http://instantiate.co.uk
Nginx
Still using 2.2?
2.4
mod_fcgid
mod_proxy + mod_proxy_fcgi
mod_fastcgi
Apache 2.4 + mod_proxy + mod_proxy_fcgi
Security issue
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi_params;
}
Request: /uploads/death.jpg/something.php
PHP's fix_pathinfo splits this into:
SCRIPT_FILENAME = /uploads/death.jpg
PATH_INFO = /something.php
So death.jpg is executed as a script!
Security issue
Fix options:
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
Best fix: