Nginx & PHP via FastCGI important security issue

A critical security issue has recently been pointed out on servers that run Nginx and PHP via FastCGI. The issue allows anyone to execute their own PHP code on the system, I don't think I have to remind you of the consequences this could have. I will attempt to provide a simple explanation of the issue and more importantly how to fix it.

What is the issue?
I would like to begin by discussing the nature of the problem: it is not caused by Nginx itself - it is not a bug or a security breach in itself. Actually, it is the way that people usually configure Nginx FastCGI options to work with PHP, and how PHP reacts to that configuration. Pretty much everyone adopts the same configuration without being aware of the issue.

The issue itself can be understood simply, then I will explain why PHP behaves that way. Most dynamic websites allow for a reason or another uploading of files. Say, I'm running a forum-based community, users can upload images to use as personal photo or avatar. The photo gets uploaded and you get the following URL:
The breach consists in appending an additional path element to the URL, making it end in .php:

Under certain conditions (and unfortunately with default settings), your photo1234.jpg gets processed as PHP file. So you could upload a PHP script renamed as .jpg, upload the image, then execute the script on the server.

If you want to know instantly if your server is vulnerable to this attack, there is a simple way to know. Find a regular file on your server, such as http://myforum.com/robots.txt. Examine the HTTP headers of the response:
HTTP/1.1 200 OK
Server: nginx/0.7.64
Date: Wed, 26 May 2010 10:56:01 GMT
Content-Type: text/plain
Content-Length: 43

Now add /test.php after the URL: http://myforum.com/robots.txt/test.php:
HTTP/1.1 200 OK
Server: nginx/0.7.64
Date: Wed, 26 May 2010 10:56:01 GMT
Content-Type: text/plain
Content-Length: 43
X-Powered-By: PHP/5.2.3

The X-Powered-By header was added by PHP which shows that the file was processed by PHP. Now visit that URL http://myforum.com/robots.txt/test.php in your web browser. What do you see:
- do you see the robots.txt file ? if so, your server is vulnerable.
- do you see an error page (403, 404, 500, 502...) or just a simple message "No input file specified" ? if so, your server is not affected by the problem.

Why does this happen?
There are two main reasons why this happens. First let's have a look at the data Nginx transmits to PHP.
A regular FastCGI/PHP configuration would be as follows:
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www/vhosts/myforum.com/httpdocs$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_script_name;

When requesting an URL like http://myforum.com/uploads/photo1234.jpg/anything.php to Nginx, here is the data that gets sent:
fastcgi_param SCRIPT_FILENAME /var/www/vhosts/myforum.com/httpdocs/uploads/photo1234.jpg/anything.php;
fastcgi_param PATH_INFO /robots.txt/test.php;

So far, no problem. PHP is supposed to load a file anything.php, in the directory /var/www/vhosts/myforum.com/httpdocs/uploads/photo1234.jpg/. Naturally, this directory should not exist, and anything.php shouldn't exist either, so we should be getting a 404 error.
However, that's where the problem comes in. The PHP option cgi.fix_pathinfo, when enabled (and it is usually enabled by default) will transform these two parameters. The SCRIPT_FILENAME becomes /var/www/vhosts/myforum.com/httpdocs/uploads/photo1234.jpg, which means the .jpg file actually becomes the request filename, and it gets treated as PHP. And PATH_INFO becomes /anything.php. The original purpose of this option was to allow such kind of URLs: index.php/param1/param2/...
But when combined with Nginx, this turns into a major issue.

How do I fix it?
Well, the simplest thing you can do is open up your php.ini configuration file, and insert this directive in the main section:
Then restart PHP-FPM or whatever FastCGI manager you're using.

Unfortunately in some cases that is not possible a solution, since perhaps other scripts on your server make the most of this option. So you could do mainly employ two different solutions on the Nginx side.

First, you could check that the requested URI actually exists, before passing the request via FastCGI:
location \.php$ {
    if (!-f $request_filename) {
        return 404;

This solution is efficient and a few of us Nginx+PHP have retained it.
Otherwise, if you think it's too consuming in terms of resources, you could check the URI to meet the following requirements:
- if the URI contains a dot, then a slash (example: image.jpg/...)
- if the URI ends with ".php" (example: image.jpg/test.php)
- then return a 403 error.
location ~ \..*/.*\.php$ {
    return 403;
location ~ \.php$ {

Alternatively, you could make sure that PHP is only enabled in certain directories, where file uploads are not allowed:
location ~ ^/(scripts|sources|src)/.*\.php$ {

Thanks for reading. And if you find this vulnerability on servers that do not belong to you, contact the server administrator immediately to report the problem!

The problem was discovered here: http://www.80sec.com/nginx-securit.html
And discussed here: http://www.pubbs.net/201005/nginx/39767-nginx-0day-exploit-for-nginx-fastcgi-php.html

Thanks to Martin F. for reporting the issue!


Mario Ricalde said...

Awesome tip, thanks for sharing.

superrider said...

i found a great article while googling , I recommend the article to everybody

JacobSyndeo said...

Thank you so much, that's a potentially nasty exploit, especially since I'm completely new to Nginx and am a bit worried about leaving such a thing like this open.

Unknown said...

Wonderful blog & good post.Its really helpful for me, awaiting for more new post. Keep Blogging!


Unknown said...

Get up to 8 quotes from top Packers and Movers of your city. Compare best movers and packers to get services at affordable prices.

packers and movers mumbai
packers and movers hyderabad

facebook entar mi cuenta said...

Despite how it was said to be lying
facebook entrar , facebook entrar , facebook entrar , facebook entrar perfil , facebook entrar mi cuenta , facebook entrar login

Unknown said...

Packers And Movers Kolkata Salt Lake
Packers And Movers Kolkata Garia
Packers And Movers Kolkata Dumdum
Packers And Movers Howrah
Movers And Packers Howrah

kusumetrade said...

Packers and movers Varanasi @ http://www.shiftingsolutions.in/packers-and-movers-varanasi.html
Packers and movers Kanpur @ http://www.shiftingsolutions.in/packers-and-movers-kanpur.html
Packers and movers Allahabad @ http://www.shiftingsolutions.in/packers-and-movers-allahabad.html
Packers and movers Lucknow @ http://www.shiftingsolutions.in/packers-and-movers-lucknow.html
Packers and movers Surat @ http://www.shiftingsolutions.in/packers-and-movers-surat.html
Packers and movers Rajkot @ http://www.shiftingsolutions.in/packers-and-movers-rajkot.html
Packers and movers Vadodara @ http://www.shiftingsolutions.in/packers-and-movers-vadodara.html
Packers and movers Aligarh @ http://www.shiftingsolutions.in/packers-and-movers-aligarh.html
Packers and movers ahmedabad @ http://www.shiftingsolutions.in/packers-and-movers-ahmedabad.html

unblocked games 77 said...

Great article, i appreciate it games unblocked , juegos de autos 3d , , pou online , unblocked games 77 , juegos de autos , jogos do pou

cool math 4 kids said...

I think this problem will be difficult girls go games , coolmath4kids , jogos friv , jogos friv , girlsgogames , coolmath4kids , jogos de friv , jogos do friv

Unknown said...

The post was absolutely fantastic! Lots of great information and inspiration, both of which we all need. packers and movers bangalore packers and movers bangalore marathahalli packers and movers marathahalli packers and movers hsr layout packers and movers btm layout packers and movers bommanahalli packers and movers whitefield packers and movers koramangala packers and movers jp nagar

kizi said...

I felt it very difficult to learn kizi games , juego de los simpson , games for kids , kizi games , juegos de los simpson , games for kids online

Dev Soft said...

PHP is one of the fastest growing web scripting languages on the Internet today, and for good reason. PHP (which stands for Hypertext Preprocessor) was designed explicitly for the web.

Click Packers said...

Very Good Article

Click Packers

packers and movers hyderbad

packers and movers in hyderbad

movers and packers hyderbad

clickpackers said...

Very Good Article

packers and movers hyderabad

packers and movers in hyderabad

movers and packers hyderabad

Click Packers

Unknown said...

Please Follow Me:
packers and movers bangalore
packers and movers ghaziabad
packers and movers faridabad
packers and movers hyderabad
packers and movers gurgaon
packers and movers delhi

Blogger said...

If you want your ex-girlfriend or ex-boyfriend to come crawling back to you on their knees (even if they're dating somebody else now) you must watch this video
right away...

(VIDEO) Why your ex will NEVER get back...

Blogger said...

BlueHost is definitely the best hosting company for any hosting services you might require.

Search This Blog