i just stumbled upon this exploit… that only works on nginx + php:
http://www.acunetix.com/vulnerabilities/nginx-php-code-execution/
Nginx PHP code execution via FastCGI
Description
A critical security issue was reported on servers that run Nginx and PHP via FastCGI. This issue may allow attackers to execute their own PHP code on the system.The problem is not caused by nginx itself, it’s related with the PHP option cgi.fix_pathinfo. When this option is enabled, PHP will rewrite SCRIPT_FILENAME and PATH_INFO parameters. When combined with Nginx, this turns into a security issue.Impact
Possible PHP code execution.
A critical security issue was reported on servers that run Nginx and PHP via FastCGI. This issue may allow attackers to execute their own PHP code on the system.The problem is not caused by nginx itself, it’s related with the PHP option cgi.fix_pathinfo. When this option is enabled, PHP will rewrite SCRIPT_FILENAME and PATH_INFO parameters. When combined with Nginx, this turns into a security issue.Impact
Possible PHP code execution.
Recommendation
set [bold]cgi.fix_pathinfo = 0[/bold] in php.ini [break] [break] or[break] [break] configure nginx using the code below:[break] [break] [pre] if ( $fastcgi_script_name ~ ..*/.*php ) { return 403; } [/pre]
References
Nginx & PHP via FastCGI important security issue
nginxphp-cgi-security-alert
also problematic: macbook webcam can be activated without the LED showing up – http://hackersnewsbulletin.com/2013/12/hackers-can-activate-macbooks-webcam-secretly-software.html
liked this article?
- only together we can create a truly free world
- plz support dwaves to keep it up & running!
- (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
- really really hate advertisement
- contribute: whenever a solution was found, blog about it for others to find!
- talk about, recommend & link to this blog and articles
- thanks to all who contribute!