2010-05-26

Nginx & PHP via FastCGI important security issue

A critical security issue has recently been pointed out on servers that run Nginx and PHP via FastCGI. The issue allows anyone to execute their own PHP code on the system, I don't think I have to remind you of the consequences this could have. I will attempt to provide a simple explanation of the issue and more importantly how to fix it.

What is the issue?
I would like to begin by discussing the nature of the problem: it is not caused by Nginx itself - it is not a bug or a security breach in itself. Actually, it is the way that people usually configure Nginx FastCGI options to work with PHP, and how PHP reacts to that configuration. Pretty much everyone adopts the same configuration without being aware of the issue.

The issue itself can be understood simply, then I will explain why PHP behaves that way. Most dynamic websites allow for a reason or another uploading of files. Say, I'm running a forum-based community, users can upload images to use as personal photo or avatar. The photo gets uploaded and you get the following URL:
http://myforum.com/uploads/photo1234.jpg
The breach consists in appending an additional path element to the URL, making it end in .php:
http://myforum.com/uploads/photo1234.jpg/anything.php

Under certain conditions (and unfortunately with default settings), your photo1234.jpg gets processed as PHP file. So you could upload a PHP script renamed as .jpg, upload the image, then execute the script on the server.

If you want to know instantly if your server is vulnerable to this attack, there is a simple way to know. Find a regular file on your server, such as http://myforum.com/robots.txt. Examine the HTTP headers of the response:
HTTP/1.1 200 OK
Server: nginx/0.7.64
Date: Wed, 26 May 2010 10:56:01 GMT
Content-Type: text/plain
Content-Length: 43
(...)

Now add /test.php after the URL: http://myforum.com/robots.txt/test.php:
HTTP/1.1 200 OK
Server: nginx/0.7.64
Date: Wed, 26 May 2010 10:56:01 GMT
Content-Type: text/plain
Content-Length: 43
(...)
X-Powered-By: PHP/5.2.3

The X-Powered-By header was added by PHP which shows that the file was processed by PHP. Now visit that URL http://myforum.com/robots.txt/test.php in your web browser. What do you see:
- do you see the robots.txt file ? if so, your server is vulnerable.
- do you see an error page (403, 404, 500, 502...) or just a simple message "No input file specified" ? if so, your server is not affected by the problem.

Why does this happen?
There are two main reasons why this happens. First let's have a look at the data Nginx transmits to PHP.
A regular FastCGI/PHP configuration would be as follows:
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www/vhosts/myforum.com/httpdocs$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_script_name;

When requesting an URL like http://myforum.com/uploads/photo1234.jpg/anything.php to Nginx, here is the data that gets sent:
fastcgi_param SCRIPT_FILENAME /var/www/vhosts/myforum.com/httpdocs/uploads/photo1234.jpg/anything.php;
fastcgi_param PATH_INFO /robots.txt/test.php;

So far, no problem. PHP is supposed to load a file anything.php, in the directory /var/www/vhosts/myforum.com/httpdocs/uploads/photo1234.jpg/. Naturally, this directory should not exist, and anything.php shouldn't exist either, so we should be getting a 404 error.
However, that's where the problem comes in. The PHP option cgi.fix_pathinfo, when enabled (and it is usually enabled by default) will transform these two parameters. The SCRIPT_FILENAME becomes /var/www/vhosts/myforum.com/httpdocs/uploads/photo1234.jpg, which means the .jpg file actually becomes the request filename, and it gets treated as PHP. And PATH_INFO becomes /anything.php. The original purpose of this option was to allow such kind of URLs: index.php/param1/param2/...
But when combined with Nginx, this turns into a major issue.


How do I fix it?
Well, the simplest thing you can do is open up your php.ini configuration file, and insert this directive in the main section:
cgi.fix_pathinfo=0
Then restart PHP-FPM or whatever FastCGI manager you're using.

Unfortunately in some cases that is not possible a solution, since perhaps other scripts on your server make the most of this option. So you could do mainly employ two different solutions on the Nginx side.

First, you could check that the requested URI actually exists, before passing the request via FastCGI:
location \.php$ {
    if (!-f $request_filename) {
        return 404;
    }
    fastcgi_pass 127.0.0.1:9000;
    [...]
}

This solution is efficient and a few of us Nginx+PHP have retained it.
Otherwise, if you think it's too consuming in terms of resources, you could check the URI to meet the following requirements:
- if the URI contains a dot, then a slash (example: image.jpg/...)
- if the URI ends with ".php" (example: image.jpg/test.php)
- then return a 403 error.
location ~ \..*/.*\.php$ {
    return 403;
}
location ~ \.php$ {
    fastcgi_pass 127.0.0.1:9000;
    ...
}

Alternatively, you could make sure that PHP is only enabled in certain directories, where file uploads are not allowed:
location ~ ^/(scripts|sources|src)/.*\.php$ {
    fastcgi_pass 127.0.0.1:9000;
    ...
}

Thanks for reading. And if you find this vulnerability on servers that do not belong to you, contact the server administrator immediately to report the problem!

The problem was discovered here: http://www.80sec.com/nginx-securit.html
And discussed here: http://www.pubbs.net/201005/nginx/39767-nginx-0day-exploit-for-nginx-fastcgi-php.html

Thanks to Martin F. for reporting the issue!

11 comments:

Kuroir said...

Awesome tip, thanks for sharing.

superrider said...

i found a great article while googling , I recommend the article to everybody
http://www.discusswire.com/secur-nginx-php/

leopardx said...

Thank you so much, that's a potentially nasty exploit, especially since I'm completely new to Nginx and am a bit worried about leaving such a thing like this open.

Flex Sin said...

Wonderful blog & good post.Its really helpful for me, awaiting for more new post. Keep Blogging!

php

PackersMovers Expert said...

For More Information:-

http://www.delhilocal.in/

http://www.delhilocal.in/packers-movers-south-delhi.html

http://www.delhilocal.in/packers-movers-south-delhi.html

http://www.delhilocal.in/packers-movers-east-delhi.html

Rishikesh Kumar said...

Packers and Movers Jaipur
Packers and Movers Varanasi
Packers and Movers Allahabad

Rishikesh Kumar said...

Packers and Movers Jaipur
Packers and Movers Varanasi
Packers and Movers Allahabad

Rishikesh Kumar said...

Packers and Movers Jaipur
Packers and Movers Varanasi
Packers and Movers Allahabad

Rishikesh Kumar said...

Easy Methods to Have fun Relocation

Relocation known as as one of the most extremely complex tasks. There are several steps involved in that that makes it tougher. Just like packaging of the goods, assembling it in moving pickup truck, unpacking and organizing it at the new place. All these all things together create relocation probably the most stressful works to do. Yet because we know that every single problem features a fix without a doubt and same exact with relocation likewise. There are small number of valuable and valuable factors which when taken would make relocation the foremost pleasurable works. These things will take your relocation to the next level of simplification.

The more designed you will be the more defined your relocation will likely be. For that reason for a booming relocation it is always taken into consideration that you move structured. Whether you do it by yours or else engage someone for the same thing you ought to arrange it ahead of time. Executing it by very own advisable certainly but there is to discover specialized packing of important items similar to flimsy, electronics etc so as it may be transferred on suitable. The third very necessary thing is to get help/ you might have the co-operation of your mates besides other family members so you and they will get pleasure from at the same time packing and also shifting. Have suitable settings of snacks and entertainment concerning so it can no more be a hectic schedule available for you. All these all the things and steps will in reality help make your relocation an incredibly uncomplicated and also excitement loving job.
Packers and Movers Rishikesh
Packers and Movers Haridwar
Packers and movers Dehradun
Packers and Movers Guwahati

Rishikesh Kumar said...

Simple and easy Ways to Pack Closet for Relocating

Wardrobe is the basic requirement of each household. It certainly is something that simplifies keeping of our apparels also as a result of the most worth in most domestic. Wardrobe is the place that houses the finest products similar to apparel, Jewellery, sneakers and many others. because of that it is actually the valuable location for all of them. Without a armoire a maintained residence is definitely not thought. It is the of most benefit yet the most difficult goods of a house to be packed and shifted for relocation. But then there are a number of fast and simple hints which will guide most in packaging closet quite easily for a move.

Embark on packaging with off season attire. This you could do earlier so preserve your self from final instance go. The second major point for packing cupboard is preference. The concept of selection can be found on selecting the outfits which might be much more helpful to you and giving up the others. In this way you may be saved from packaging not used and unusable clothes and can preserve space on shift too. Cupboard must be moved unoccupied applying this method you could do it in less man power too. if you have metallic physique wardrobe, it is recommended to cover the corners of this so it might not get hurt from ceiling or any of such things. If it’s a wooden cupboard draping needs to be used while shifting it to a different destination. Preserve all of the the Jewellery and other commodities of wardrobe at the risk-free side. Even while your cabinet is on track for the big shift verify all of that the doors and also locking system of wardrobe is appropriately closed. All of these all tips are the solution to an effective cupboard relocating.
Packers and Movers Rishikesh
Packers and movers Dehradun
Packers and Movers Haridwar
Packers and Movers Guwahati

Rishikesh Kumar said...

Hassle-free Processes to Pack Cupboard for Relocating

Armoire is the basic necessity of each and every domestic. It certainly is something simplifies keeping of our apparels as well as for this reason of the most benefits in every single domestic. Cupboard is the place that homes the most useful products like for instance clothing, Jewellery, sneakers and so on. thus it will be the significant desired destination for any of them. Without a armoire a maintained place is not at all anticipated. It will be the of most benefit still the most complex item of a household to be packaged and shifted for relocation. However there are several fast and easy secrets which will help out all of the in packaging cabinet with no trouble for a transfer.

Begin with stuffing with off period dress. This you could do before-time so save yourself from final instance hurry. The next essential fact for packaging wardrobe is picking. The idea of picking lays on picking up the clothing which happen to be much more beneficial to you and giving up the rest of them. By doing this you may be rescued from packaging unused and crap outfits which enables you to conserve space on shift also. Closet ought to be shifted vacant using this method you can do it in less man power also. if you have precious metal shape cupboard, it is recommended to close the corners of that so as it might not get damaged from partition or such a items. If it’s a wood made cupboard draping need to be put to use when shifting it to yet another area. Preserve all of the the Jewellery and other belongings of cabinet at the risk-free side. While your closet is all set to go for the big shift verify all of that the doors and also locking system of wardrobe is appropriately covered. These types of all recommendations are the key to a successful cupboard moving.

Packers and Movers Jaipur
Packers and Movers Varanasi
Packers and Movers Allahabad

Search This Blog

Loading...