再提供一种解决Nginx文件类型错误解析漏洞的方法

| |
[不指定 2010-5-21 18:46 | by 张宴 ]
  [文章作者:张宴 本文版本:v1.2 最后修改:2010.05.24 转载请注明原文链接:http://blog.zyan.cc/nginx_0day/]

  注:2010年5月23日14:00前阅读本文的朋友,请按目前v1.1版本的最新配置进行设置。

  昨日,80Sec 爆出Nginx具有严重的0day漏洞,详见《Nginx文件类型错误解析漏洞》。只要用户拥有上传图片权限的Nginx+PHP服务器,就有被入侵的可能。

  其实此漏洞并不是Nginx的漏洞,而是PHP PATH_INFO的漏洞,详见:http://bugs.php.net/bug.php?id=50852&edit=1

  例如用户上传了一张照片,访问地址为http://www.domain.com/images/test.jpg,而test.jpg文件内的内容实际上是PHP代码时,通过http://www.domain.com/images/test.jpg/abc.php就能够执行该文件内的PHP代码。

  网上提供的临时解决方法有:

  方法①、修改php.ini,设置cgi.fix_pathinfo = 0;然后重启php-cgi。此修改会影响到使用PATH_INFO伪静态的应用,例如我以前博文的URL:http://blog.zyan.cc/read.php/348.htm 就不能访问了。

  方法②、在nginx的配置文件添加如下内容后重启:if ( $fastcgi_script_name ~ \..*\/.*php ) {return 403;}。该匹配会影响类似 http://www.domain.com/software/5.0/test.php(5.0为目录),http://www.domain.com/goto.php/phpwind 的URL访问。

  方法③、对于存储图片的location{...},或虚拟主机server{...},只允许纯静态访问,不配置PHP访问。例如在金山逍遥网论坛、SNS上传的图片、附件,会传送到专门的图片、附件存储服务器集群上(pic.xoyo.com),这组服务器提供纯静态服务,无任何动态PHP配置。各大网站几乎全部进行了图片服务器分离,因此Nginx的此次漏洞对大型网站影响不大。


  本人再提供一种修改nginx.conf配置文件的临时解决方法,兼容“http://blog.zyan.cc/demo/0day/phpinfo.php/test”的PATH_INFO伪静态,拒绝“http://blog.zyan.cc/demo/0day/phpinfo.jpg/test.php”的漏洞攻击:
location ~* .*\.php($|/)
{
      if ($request_filename ~* (.*)\.php) {
            set $php_url $1;
      }
      if (!-e $php_url.php) {
            return 403;
      }

      fastcgi_pass  127.0.0.1:9000;
      fastcgi_index index.php;
      include fcgi.conf;
}


  也可将以下内容写在fcgi.conf文件中,便于多个虚拟主机引用:
if ($request_filename ~* (.*)\.php) {
    set $php_url $1;
}
if (!-e $php_url.php) {
    return 403;
}

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx;

fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
fastcgi_param  SCRIPT_NAME        $uri;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;



  附:文章修改历史

  ● [2010年05月21日] [Version 1.0] 新建

  ● [2010年05月23日] [Version 1.1] 针对网友michael提出的“如果构造一个形如/..trojan.jpg/dummy.php/?abcd=1,似乎可以绕过防范的nginx配置”,进行了配置修改,防范了此类情况发生。提供测试的URL如下,拒绝漏洞访问:
  http://blog.zyan.cc/demo/0day/phpinfo.jpg (里面是PHP代码)
  http://blog.zyan.cc/demo/0day/phpinfo.jpg/.php
  http://blog.zyan.cc/demo/0day/phpinfo.jpg/dummy.php
  http://blog.zyan.cc/demo/0day/phpinfo.jpg/dummy.php/?abcd=1

  同时兼容正常的PATH_INFO伪静态请求,测试URL如下:
  http://blog.zyan.cc/demo/0day/phpinfo.php (这是正常的PHP文件)
  http://blog.zyan.cc/demo/0day/phpinfo.php/test
  http://blog.zyan.cc/demo/0day/phpinfo.php/news123.html
  http://blog.zyan.cc/read.php/348.htm

  ● [2010年05月24日] [Version 1.2] 修正文字描述错误。


Tags: , ,



技术大类 » Web服务器 | 评论(323) | 引用(0) | 阅读(136604)
room Email
2025-9-2 21:21
This particular papers fabulous, and My spouse and i enjoy each of the perform that you have placed into this. I’m sure that you will be making a really useful place. I has been additionally pleased. Good perform!  派遣 軽作業
Jimmy
2025-9-2 21:58
the actually great website. the realy informative plus a this kind of excellent career. i enjoy this kind of.  sloto89 slot onlineBeing Starter, I'm sure for life trying over the internet for the purpose of content pieces that might be from assistance to everybody. Regards.  slot online sloto89
Jimmy
2025-9-2 21:58
Being Starter, I'm sure for life trying over the internet for the purpose of content pieces that might be from assistance to everybody. Regards.  slot online sloto89
Jimmy
2025-9-2 21:58
Being Starter, I'm sure for life trying over the internet for the purpose of content pieces that might be from assistance to everybody. Regards.  slot online sloto89
Jimmy
2025-9-2 21:59
Being Starter, I'm sure for life trying over the internet for the purpose of content pieces that might be from assistance to everybody. Regards.  slot online sloto89
OKE66 Email
2025-9-3 14:21
Honestly, playing on OKE66 just feels different. The moment I signed up, boom—bonus right away. Tried other sites before, but I always end up coming back here ‘cause it’s just smooth and easy.oke66zan
온라인카지노 Email Homepage
2025-9-3 15:25
온라인슬롯, 슬롯사이트, 먹튀검증, 온라인카지노, 토토사이트, 카지노 커뮤니티, 슬롯커뮤니티, 무료슬롯체험, 온라인바카라, 에볼루션카지노, 프라그마틱슬롯
웹툰사이트 Email Homepage
2025-9-3 16:05
I haven’t any word to appreciate this post.....Really i am impressed from this post....the person who create this post it was a great human..thanks for shared this with us. <a href="https://xn--z27bt9c1e.com">웹툰사이트</a>웹툰사이트웹툰사이트
Jimmy
2025-9-3 18:19
Truly! Whatever an eye opener this unique put up happens to be in my circumstances. Substantially relished, saved, I just can’t look for further!  bandar togel
Jimmy
2025-9-3 18:19
the actually great website. the realy informative plus a this kind of excellent career. i enjoy this kind of.  title loans Atlanta
Jimmy
2025-9-3 22:50
This is such a great resource that you are providing and you give it away for free. I love seeing blog that understand the value of providing a quality resource for free.  bandar togelI think this is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article.  Douglasville title pawnI think this is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article.  GIGA88 slot resmiI think this is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article.  GIGA88 slot resmi
sgffgf Email
2025-9-4 16:27
It is my first visit to your blog, and I am very impressed with the articles that you serve. Give adequate knowledge for me. Thank you for sharing useful material. I will be back for the more great post.  หวยไทย  This article was written by a real thinking writer without a doubt. I agree many of the with the solid points made by the writer. I’ll be back day in and day for further new updates.  오피스타
카지노사이트 Email Homepage
2025-9-6 09:21
온라인슬롯, 슬롯사이트, 먹튀검증, 온라인카지노, 토토사이트, 카지노 커뮤니티, 슬롯커뮤니티, 무료슬롯체험, 온라인바카라, 에볼루션카지노, 프라그마틱슬롯 https://kkuns.com
jakson Email Homepage
2025-9-6 18:06
Your site is a complete surprise. The overall structure, user-friendly explanations, and extensive resources are what draw so many people to it. Thank you.If you suffer from chronic neck and shoulder pain, I recommend this site, which shares information on massage therapy, self-massage techniques, and sports massage techniques.마사지구인구직
jakson Email Homepage
2025-9-6 18:08
This seems like a huge amount of information. The content is comprehensive and the user-friendly explanations are excellent. Thank you.If you have neck or back pain, I recommend this site, which shares information on self-massage techniques, aromatherapy massage, and sports massage techniques.마사지구인구직
웹툰사이트 Email Homepage
2025-9-6 18:22
I haven’t any word to appreciate this post.....Really i am impressed from this post....the person who create this post it was a great human..thanks for shared this with us.  <a href="https://xn--z27bt9c1e.com">웹툰사이트</a>  I haven’t any word to appreciate this post.....Really i am impressed from this post....the person who create this post it was a great human..thanks for shared this with us.  웹툰사이트  웹툰사이트  https://xn--z27bt9c1e.com
Rahul Email Homepage
2025-9-7 03:04
Great article n! I really enjoyed your insights and explanations. For anyone interested in daily updates and real-time results, you can check out <a href="https://www.sattaadda.com/">Satta Adda</a>. The site provides fast Satta King results and updates.
웹툰사이트 Email Homepage
2025-9-7 12:21
"해피툰은 다양한 무료 웹툰, 웹툰 미리보기 사이트, 웹툰 사이트 순위, 무료 웹툰 사이트를 제공하는 사이트입니다. 해피툰의 가장 빠른 주소로 안내해드리겠습니다. no1 무료 웹툰 사이트를 이용해보세요."/>웹툰사이트  https://xn--z27bt9c1e.com
카지노사이트 Email Homepage
2025-9-7 12:22
"해피툰은 다양한 무료 웹툰, 웹툰 미리보기 사이트, 웹툰 사이트 순위, 무료 웹툰 사이트를 제공하는 사이트입니다. 해피툰의 가장 빠른 주소로 안내해드리겠습니다. no1 무료 웹툰 사이트를 이용해보세요."/>웹툰사이트  https://xn--z27bt9c1e.com
DASFDSFDS Email
2025-9-8 20:19
L'inscription avec le code 1XNEW200 est la clé pour débloquer ce bonus généreux. Le processus est rapide et adapté aux mobiles, avec des méthodes de paiement locales comme Orange Money et MTN Mobile Money.  codes promo 1xbet côte d'ivoire
分页: 16/17 第一页 上页 11 12 13 14 15 16 17 下页 最后页
发表评论
表情
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
打开HTML
打开UBB
打开表情
隐藏
记住我
昵称   密码   游客无需密码
网址   电邮   [注册]