# PHP-FastCGI (& Nginx) security issue

## frostschutz

If you are using php with cgi useflag in a fastcgi environment(, and possibly nginx instead of Apache), you may be interested in the following article:

 *Quote:*   

> 
> 
> http://cnedelcu.blogspot.com/2010/05/nginx-php-via-fastcgi-important.html
> 
> A critical security issue has recently been pointed out on servers that run Nginx and PHP via FastCGI. The issue allows anyone to execute their own PHP code on the system, I don't think I have to remind you of the consequences this could have. I will attempt to provide a simple explanation of the issue and more importantly how to fix it.
> ...

 

Came across this today, my box was affected by this issue, so if you're running PHP as CGI on your server, it may be worth checking out, especially (but not only) for Nginx users since it seems to happen with the standard setup that's usually used for nginx + php...

----------

## nativemad

This doesn't seem to be an issue with ligthy! 

It displays the wrong file (even with the php.ini set), but it does not involve the interpreter!   :Razz: 

----------

## Gef

Many thanks for the head-up. I guess that's the kind of risk you take by running some brand-new-yet-powerful-and-polished-complexly-stacked-layers-of-software.

So summarize a bit some of possible options for production servers:

 */etc/nginx/nginx.conf wrote:*   

> 
> 
> # 403 if the request is something like /my/uri/mycode.jpg/nonexisting.php
> 
> # where mycode.jpg is in fact a plain text php code uploaded my an 
> ...

 

AND/OR

 */etc/php/cgi-php5/php.ini wrote:*   

> 
> 
> ; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI.  PHP's
> 
> ; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok
> ...

 

----------

## frostschutz

Yes, I do both; set cgi.fix_pathinfo to 0 since it's a dangerous option, since it makes PHP look for odd files like images if it was given an invalid path; and check for existance of the .php (or for embedded php, .html) file before forwarding it so as to not forward invalid paths to PHP in the first place anymore. The path info variables etc. can be set by nginx if the PHP application requires them...

----------

