maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity

Security-critical fix: Nginx directory protection did not prevent access to

Browse Source 
PHP scripts

Although the implemented direction protection posed a prompt when
accessing the http://...com/protectedir/
it was still possible to call http://...com/protectedir/script.php

This vulnerability emerges from the precedence order of "location"
statements. The RegEx matching the PHP script is triggered before the
directory protection is evaluated. As a result, the PHP script is
interpreted and path parsing stops due to the circumflex (see
http://nginx.org/en/docs/http/ngx_http_core_module.html#location).

The fix involves adding a PHP parsing snippet to every protected
block. In order to prevent PHP-related config params repeatedly, the
required section is referenced using a prefix.
This commit is contained in:
Johannes Feichtner
2015-09-16 00:42:11 +02:00
parent 6e0f18b200
commit a641dfbfc8
2 changed files with 17 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
scripts/jobs/cron_tasks.inc.http.35.nginx_phpfpm.php
View File

@@ -25,6 +25,10 @@ class nginx_phpfpm extends nginx
$phpconfig = $php->getPhpConfig((int)$domain['phpsettingid']);
$php_options_text = "\t" . 'location ~ ^(.+?\.php)(/.*)?$ {' . "\n";
$php_options_text .= "\t\t" . 'try_files ' . $domain['nonexistinguri'] . ' @php;' . "\n";
$php_options_text .= "\t" . '}' . "\n\n";
$php_options_text .= "\t" . 'location @php {' . "\n";
$php_options_text .= "\t\t" . 'try_files $1 = 404;' . "\n\n";
$php_options_text .= "\t\t" . 'include ' . Settings::Get('nginx.fastcgiparams') . ";\n";
$php_options_text .= "\t\t" . 'fastcgi_split_path_info ^(.+\.php)(/.+)\$;' . "\n";