再提供一种解决Nginx文件类型错误解析漏洞的方法

MySQL Infobright 数据仓库快速安装笔记[原创]

快速跳转到Google SSL 中文版的网址：ggssl.com [此文被墙，无法浏览]

大 | 中 | 小

[

2010-5-21 18:46 | by 张宴 ]

　　[文章作者：张宴本文版本：v1.2 最后修改：2010.05.24 转载请注明原文链接：http://blog.zyan.cc/nginx_0day/]

　　注：2010年5月23日14:00前阅读本文的朋友，请按目前v1.1版本的最新配置进行设置。

　　昨日，80Sec 爆出Nginx具有严重的0day漏洞，详见《Nginx文件类型错误解析漏洞》。只要用户拥有上传图片权限的Nginx+PHP服务器，就有被入侵的可能。

　　其实此漏洞并不是Nginx的漏洞，而是PHP PATH_INFO的漏洞，详见：http://bugs.php.net/bug.php?id=50852&edit=1

　　例如用户上传了一张照片，访问地址为http://www.domain.com/images/test.jpg，而test.jpg文件内的内容实际上是PHP代码时，通过http://www.domain.com/images/test.jpg/abc.php就能够执行该文件内的PHP代码。

　　网上提供的临时解决方法有：

　　方法①、修改php.ini，设置cgi.fix_pathinfo = 0;然后重启php-cgi。此修改会影响到使用PATH_INFO伪静态的应用，例如我以前博文的URL：http://blog.zyan.cc/read.php/348.htm 就不能访问了。

　　方法②、在nginx的配置文件添加如下内容后重启：if ( $fastcgi_script_name ~ \..*\/.*php ) {return 403;}。该匹配会影响类似 http://www.domain.com/software/5.0/test.php（5.0为目录），http://www.domain.com/goto.php/phpwind 的URL访问。

　　方法③、对于存储图片的location{...}，或虚拟主机server{...}，只允许纯静态访问，不配置PHP访问。例如在金山逍遥网论坛、SNS上传的图片、附件，会传送到专门的图片、附件存储服务器集群上（pic.xoyo.com），这组服务器提供纯静态服务，无任何动态PHP配置。各大网站几乎全部进行了图片服务器分离，因此Nginx的此次漏洞对大型网站影响不大。

　　本人再提供一种修改nginx.conf配置文件的临时解决方法，兼容“http://blog.zyan.cc/demo/0day/phpinfo.php/test”的PATH_INFO伪静态，拒绝“http://blog.zyan.cc/demo/0day/phpinfo.jpg/test.php”的漏洞攻击：

location ~* .*\.php($|/)
{
      if ($request_filename ~* (.*)\.php) {
            set $php_url $1;
      }
      if (!-e $php_url.php) {
            return 403;
      }

      fastcgi_pass  127.0.0.1:9000;
      fastcgi_index index.php;
      include fcgi.conf;
}

　　也可将以下内容写在fcgi.conf文件中，便于多个虚拟主机引用：

if ($request_filename ~* (.*)\.php) {
    set $php_url $1;
}
if (!-e $php_url.php) {
    return 403;
}

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx;

fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
fastcgi_param  SCRIPT_NAME        $uri;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

　　附：文章修改历史

　　● [2010年05月21日] [Version 1.0] 新建

　　● [2010年05月23日] [Version 1.1] 针对网友michael提出的“如果构造一个形如/..trojan.jpg/dummy.php/?abcd=1，似乎可以绕过防范的nginx配置”，进行了配置修改，防范了此类情况发生。提供测试的URL如下，拒绝漏洞访问：
　　http://blog.zyan.cc/demo/0day/phpinfo.jpg （里面是PHP代码）
　　http://blog.zyan.cc/demo/0day/phpinfo.jpg/.php
　　http://blog.zyan.cc/demo/0day/phpinfo.jpg/dummy.php
　　http://blog.zyan.cc/demo/0day/phpinfo.jpg/dummy.php/?abcd=1

　　同时兼容正常的PATH_INFO伪静态请求，测试URL如下：
　　http://blog.zyan.cc/demo/0day/phpinfo.php （这是正常的PHP文件）
　　http://blog.zyan.cc/demo/0day/phpinfo.php/test
　　http://blog.zyan.cc/demo/0day/phpinfo.php/news123.html
　　http://blog.zyan.cc/read.php/348.htm

　　● [2010年05月24日] [Version 1.2] 修正文字描述错误。

技术大类 » Web服务器 | 评论(82) | 引用(0) | 阅读(129711)

diandian

2011-12-18 11:01

这个漏洞官方还没有解决吗？如果解决了，就不用在这样做了吗？

chanel uk

2012-4-13 16:23

christian louboutin
tiffanys
gucci uk
louis vuitton sac

chanel uk

2012-4-13 16:32

chanel uk
burberry uk
ralph lauren uk

Hogan

2012-5-10 17:54

In che possono posso individuare un fabbro uno dei più affidabili Greater London? Nel caso in cui si vogliono ottenere le aziende particolari del vostro fabbro Grande Londra quindi si sta andando in vista di un individuo Hogan che è totalmente certificata che è successo con fiducia. Nel caso in cui si va a vedere Locallocksmith24hour. corp. britannico sarete in grado di ottenere probabilmente il più efficace fabbro Grande Londra sta offrendo.

hogan280

2012-5-10 18:06

Focalizzando l'attenzione sull'elemento gara di questo reato - qualcosa suscitato dal comportamento oltraggioso della Difesa League inglese e BNP al di fuori del tribunale di Liverpool - è facile perdere di vista il fatto che Hogan questo è un racconto ampio di abuso e non è univoco ad una comunità. Marai Larasi, direttore della Imkaan e co-presidente del End Violence Against Women Coalition, avverte: "Una eccessiva attenzione su alcuni casi di sfruttamento sessuale con una concentrazione di etnie, piuttosto che lo sfruttamento della stessa è fuorviante e gli atteggiamenti razzisti dei combustibili che in ultima analisinon aiuta le donne e le ragazze. "

昌乐

2012-5-13 11:03

我的www.changle8.com就经常出现："错误类型：-2146697208 您输入的域名无法解析，搜索正确域名" 这个问题，很是愁人啊。

Louis Vuitton Speedy

2012-5-19 21:04

www.lvbagclassic.com are authorized authentic Louis Vuitton handbags outlet store. All the items at our site are 100% authentic. All our Louis Vuitton handbags will come with the authenticity card, serial Number, dust bag and care booklet. We promise you will be 100% satisfied when you get such cheap authentic Louis Vuitton handbags from us!
Louis Vuitton Neverfull|Louis Vuitton Speedy|Louis Vuitton Alma|Louis Vuitton Artsy

Louis Vuitton Neverfull

2012-5-19 21:04

We are authorized authentic Louis Vuitton handbags outlet store. All the items at our site are 100% authentic. All our Louis Vuitton handbags will come with the authenticity card, serial Number, dust bag and care booklet. We promise you will be 100% satisfied when you get such cheap authentic Louis Vuitton handbags from us! For more information, please visit http://www.authenticlouisvuittonpurses.com/.

coachoutlet

2012-8-5 21:36

coach outlet online http://www.coachoutlets2u.org/.

心桥文章网

2012-8-15 22:24

这个站做的太成功了。很喜欢。Nginx发现只有你写一本书，在图书馆只找到你的。哈哈。高手。伤感美文 www.kanmw.com

Cheap Snapback Hats

2012-9-25 15:58

First off, what's CFD exactly? Cheap Snapback Hats You cannot discuss CFD propagate gambling unless you know very well what a CFD is correct? Snapback Hats Wholesale Well, CFD appears for Agreements for Distinction which is gdiuhop[=[ljoujo a kind of mixture item that gets traded.

Coach

2012-11-3 14:33

"The Coach Outletengines that will likely power the J-31 we do know a bit mor.Coach Outlet Those engines were actually revealed at the Zhuhai showCoach Outlet in 2008," Fisher said referring to an annual China air show. He beCoach Outletlieves the new J-31 engine is undergoing preliminary

若海

2013-8-19 09:37

请使用 try_files $fastcgi_script_name=404; 代替if语句。

磨延城

2013-10-21 20:45

磨途歌学习了

2014-2-25 14:20

Great blog. All posts have something to learn. Your work is very good and i appreciate you and hopping for some more informative posts.
IDRpoker.com Agen Texas Poker Online Indonesia Terpercaya | IDRpoker.com Agen Texas Poker Online Indonesia Terpercaya | Alfamart official partner merchandise FIFA piala dunia Brazil 2014

Steven

2015-3-19 02:37

Thank you for this post Weight Loss Tea

steven

2015-3-20 22:20

asphalt 8 cheats

steven

2015-3-20 22:21

asphalt 8 cheats

Engineering Writing Services

2020-5-26 15:00

Engineering assignment writing services are essential for college & university engineering research paper services seekers and Engineering Writing Services. https://www.meldaresearch.com/engineering-writing-services/

Hotel & Hospitality Writing Services

2020-7-22 19:23

Hotel & hospitality assignment writing services are essential for hospitality management coursework writing service students and Hotel & Hospitality Writing Services seekers.https://researchpapers247.com/hotel-and-hospitality-writing-services/

分页： 4/5