MyBB Community Forums

MyBB Community Forums > Community > General Discussion > PHP-FastCGI (& Nginx) security issue
Full Version: PHP-FastCGI (& Nginx) security issue
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2

frostschutz

2010-06-01, 09:55 AM
If you are using php-fastcgi (and possibly nginx instead of Apache) you may be interested in the following article:

http://cnedelcu.blogspot.com/2010/05/ngi...rtant.html Wrote:A critical security issue has recently been pointed out on servers that run Nginx and PHP via FastCGI. The issue allows anyone to execute their own PHP code on the system, I don't think I have to remind you of the consequences this could have. I will attempt to provide a simple explanation of the issue and more importantly how to fix it.

Came across this today, my server was affected by this issue, so if you're running PHP as CGI on your server, it may be worth checking out, especially (but not only) for Nginx users since Nginx standard configuration does not prevent this.

ChrisR

2010-06-01, 11:20 AM
Hey,

This issue affects IIS running php as FAST-CGI as well (tested on localhost with IIS7)
After talking to php though email they are saying its the server admins issue and not php as the server is not set up right its a config issue.

FBI

2010-06-01, 02:21 PM
bad vulnerable Wink

ChrisR

2010-06-02, 01:19 AM
Okay.

From what php is tell me for IIS 7 uses make sure you install

http://www.microsoft.com/downloads/detai...290f3b8367

(not tested at this time i will later)

Tom K.

2010-06-02, 08:43 AM
Does this affect everyone using PHP-FastCGI, or just if you run nginx?

frostschutz

2010-06-02, 10:03 AM
You're affected if your webserver uses the CGI variant of PHP, and if PHP is configured to use cgi.fix_pathinfo in its php.ini (which is the default setting unfortunately for PHP), and if the webserver forwards requests to PHP without checking whether the file actually exists (which is the default setting unfortunately for nginx).

So it does not really matter which webserver you're using, the question is how it's set up. Both web server and PHP could be preventing this issue, and unfortunately, PHP does not do so by default, and the Nginx web server does not do so by default either.

In my personal opinion, both projects should adapt safer defaults, and make server admins aware of the risks in their documentation.

Tom K.

2010-06-02, 10:59 AM
BTW what is mod_php ? I have the option of: fastcgi, cgi-php ad mod_php

frostschutz

2010-06-02, 01:06 PM
mod_php (in case of Apache) is PHP directly integrated into Apache itself, whereas with CGI, PHP runs as a separate independent program/process.

User 2877

2010-06-02, 05:06 PM
Yeah I'm glad I don't run as CGI. Thanks for the alert though.

Tom K.

2010-06-02, 06:34 PM
So basically I should change to mod_php?
Pages: 1 2
MyBB Community Forums > Community > General Discussion > PHP-FastCGI (& Nginx) security issue