再提供一种解决Nginx文件类型错误解析漏洞的方法

MySQL Infobright 数据仓库快速安装笔记[原创]

快速跳转到Google SSL 中文版的网址：ggssl.com [此文被墙，无法浏览]

大 | 中 | 小

[

2010-5-21 18:46 | by 张宴 ]

　　[文章作者：张宴本文版本：v1.2 最后修改：2010.05.24 转载请注明原文链接：http://blog.zyan.cc/nginx_0day/]

　　注：2010年5月23日14:00前阅读本文的朋友，请按目前v1.1版本的最新配置进行设置。

　　昨日，80Sec 爆出Nginx具有严重的0day漏洞，详见《Nginx文件类型错误解析漏洞》。只要用户拥有上传图片权限的Nginx+PHP服务器，就有被入侵的可能。

　　其实此漏洞并不是Nginx的漏洞，而是PHP PATH_INFO的漏洞，详见：http://bugs.php.net/bug.php?id=50852&edit=1

　　例如用户上传了一张照片，访问地址为http://www.domain.com/images/test.jpg，而test.jpg文件内的内容实际上是PHP代码时，通过http://www.domain.com/images/test.jpg/abc.php就能够执行该文件内的PHP代码。

　　网上提供的临时解决方法有：

　　方法①、修改php.ini，设置cgi.fix_pathinfo = 0;然后重启php-cgi。此修改会影响到使用PATH_INFO伪静态的应用，例如我以前博文的URL：http://blog.zyan.cc/read.php/348.htm 就不能访问了。

　　方法②、在nginx的配置文件添加如下内容后重启：if ( $fastcgi_script_name ~ \..*\/.*php ) {return 403;}。该匹配会影响类似 http://www.domain.com/software/5.0/test.php（5.0为目录），http://www.domain.com/goto.php/phpwind 的URL访问。

　　方法③、对于存储图片的location{...}，或虚拟主机server{...}，只允许纯静态访问，不配置PHP访问。例如在金山逍遥网论坛、SNS上传的图片、附件，会传送到专门的图片、附件存储服务器集群上（pic.xoyo.com），这组服务器提供纯静态服务，无任何动态PHP配置。各大网站几乎全部进行了图片服务器分离，因此Nginx的此次漏洞对大型网站影响不大。

　　本人再提供一种修改nginx.conf配置文件的临时解决方法，兼容“http://blog.zyan.cc/demo/0day/phpinfo.php/test”的PATH_INFO伪静态，拒绝“http://blog.zyan.cc/demo/0day/phpinfo.jpg/test.php”的漏洞攻击：

location ~* .*\.php($|/)
{
      if ($request_filename ~* (.*)\.php) {
            set $php_url $1;
      }
      if (!-e $php_url.php) {
            return 403;
      }

      fastcgi_pass  127.0.0.1:9000;
      fastcgi_index index.php;
      include fcgi.conf;
}

　　也可将以下内容写在fcgi.conf文件中，便于多个虚拟主机引用：

if ($request_filename ~* (.*)\.php) {
    set $php_url $1;
}
if (!-e $php_url.php) {
    return 403;
}

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx;

fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
fastcgi_param  SCRIPT_NAME        $uri;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

　　附：文章修改历史

　　● [2010年05月21日] [Version 1.0] 新建

　　● [2010年05月23日] [Version 1.1] 针对网友michael提出的“如果构造一个形如/..trojan.jpg/dummy.php/?abcd=1，似乎可以绕过防范的nginx配置”，进行了配置修改，防范了此类情况发生。提供测试的URL如下，拒绝漏洞访问：
　　http://blog.zyan.cc/demo/0day/phpinfo.jpg （里面是PHP代码）
　　http://blog.zyan.cc/demo/0day/phpinfo.jpg/.php
　　http://blog.zyan.cc/demo/0day/phpinfo.jpg/dummy.php
　　http://blog.zyan.cc/demo/0day/phpinfo.jpg/dummy.php/?abcd=1

　　同时兼容正常的PATH_INFO伪静态请求，测试URL如下：
　　http://blog.zyan.cc/demo/0day/phpinfo.php （这是正常的PHP文件）
　　http://blog.zyan.cc/demo/0day/phpinfo.php/test
　　http://blog.zyan.cc/demo/0day/phpinfo.php/news123.html
　　http://blog.zyan.cc/read.php/348.htm

　　● [2010年05月24日] [Version 1.2] 修正文字描述错误。

技术大类 » Web服务器 | 评论(162) | 引用(0) | 阅读(133986)

fariha

2025-4-28 16:24

Very informative post! There is a lot of information here that can help any business get started with a successful social networking campaign. ARMORBET78

fariha

2025-4-28 18:10

Thank you because you have been willing to share information with us. we will always appreciate all you have done here because I know you are very concerned with our. https://www.starrnyc.com/

asd

2025-4-29 16:22

I found so many interesting stuff in your blog especially its discussion. From the tons of comments on your articles, I guess I am not the only one having all the enjoyment here! keep up the good work... olxtoto login

asd

2025-4-29 16:27

fariha

2025-4-29 16:27

I think this is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article. MUTIARA78

DSFDSF

2025-4-29 16:29

This particular is usually apparently essential and moreover outstanding truth along with for sure fair-minded and moreover admittedly useful My business is looking to find in advance designed for this specific useful stuffs… olxtoto login

dsfdsfd

2025-5-4 21:42

A very awesome blog post. We are really grateful for your blog post. You will find a lot of approaches after visiting your post. lowestoft journal

dsfdfs

2025-5-7 15:31

Thanks for a very interesting blog. What else may I get that kind of info written in such a perfect approach? I’ve a undertaking that I am simply now operating on, and I have been at the look out for such info. dot

sdfds

2025-5-7 22:31

Thanks for sharing this quality information with us. I really enjoyed reading. Will surely going to share this URL with my friends. Legal AI

dfds

2025-5-8 19:08

I read a article under the same title some time ago, but this articles quality is much, much better. How you do this.. agenolx daftar

dfbdfgd

2025-5-10 19:15

Apa Itu Paito SGPPaito SGP adalah tampilan data hasil keluaran Singapore Pools (SGP) yang disusun dalam bentuk tabel atau warna, yang digunakan oleh pemain togel untuk menganalisa pola angka. Dengan memahami pola ini, banyak pemain bisa memprediksi angka jitu untuk taruhan berikutnya. paito togel sgp

dfbdfgd

2025-5-10 19:41

Thanks for providing recent updates regarding the concern, I look forward to read more. alexistoto

jakson

2025-5-14 14:23

I learned a lot while staying on this site. The overall structure and the development of logic based on facts are truly amazing. It is a task that would have been impossible without much learning. Thank you. By the way, when you work on the computer for a long time, your neck and shoulders sometimes hurt. At that time, I introduce a site that shares detailed information on how to relieve tight muscles with simple self-massage therapy, various massage techniques such as sports massage and Swedish massage, and other information that is helpful for your health. 스웨디시 구인

gktndh

2025-5-15 12:19

It's full of helpful information for many people. There must be a reason why many people visit this site. If it's the information I need, people around me will also need it and it will be well used. I think I should let many people know about this site. Thank you for your hard work.A simple acupressure method for treating mild pain caused by muscle knots in the neck and shoulders, which are common pains among modern people, with self-massage therapy without going to the hospital, and systematic information on the methods and effects of various massage techniques are shared to help you choose the right massage for your body. 마사지구인구직

dsfds

2025-5-15 15:54

Excellent article. Very interesting to read. I really love to read such a nice article. Thanks! keep rocking. Lô Đề

dsfds

2025-5-15 16:10

This is my first time i visit here. I found so many interesting stuff in your blog especially its discussion. From the tons of comments on your articles, I guess I am not the only one having all the enjoyment here keep up the good work 국제 문자

sdfdsf

2025-5-17 20:17

Nice post! This is a very nice blog that I will definitively come back to more times this year! Thanks for informative post. 해외선물 나스닥

sdfsdfs

2025-5-24 19:13

You make so many great points here that I read your article a couple of times. Your views are in accordance with my own for the most part. This is great content for your readers. Фильмикс HD

thsdhrhd

2025-5-25 13:05

It doesn't seem like an easy task, but it's really well done. It's full of quality information, easy to search, and sufficient explanations for understanding. Everything is perfect. Thank you for your hard work. As a side note, chronic fatigue seems to be one of the chronic diseases for modern people who lack exercise and sit for long hours at work. Health is a really important asset that cannot be exchanged for anything. If you use self-massage techniques from time to time to relieve the tense muscles in your shoulders and neck and stretch frequently to increase your body's flexibility, you will be able to free yourself from chronic fatigue. I'm introducing a site that shares sports massage, aroma massage, Swedish massage, and other self-massage techniques. 마사지 구인정보

dsfsd

2025-5-25 16:23

Nice blog and absolutely outstanding. You can do something much better but i still say this perfect.Keep trying for the best. KinoGo

分页： 8/9