0

My website has been compromized by an user who uploaded an image with PHP code in it. This code allows to upload files, and he uploaded a malicious PHP script.

He was able to call his "image-php" with a GET on this URL : 

http://mypwnedwebsite.com/image.jpg/.php

How can I configure nginx to prevent this behaviour? I mean, with a simple /.php, it acts as everything was PHP, which is wrong from my point of view.

I actually have a "classical" nginx 1.6.2 configuration, and I think this part is the most relevant : 

location ~ \.php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_read_timeout 120; include /etc/nginx/fastcgi_params; }
Improve this question
1
  • 1
    See this article. You are missing a try_files $uri =404; statement. Commented Jan 13, 2017 at 8:27

1 Answer 1

Reset to default
0

This should work. 

location ~ \.php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_read_timeout 120; include /etc/nginx/fastcgi_params; try_files $uri $uri/ /404.html; }

It tries to find $uri, if not a folder, if not 404 error is thrown.

Improve this answer
2
  • Thank you, it actually works. Do I have to put try_files $uri $uri/ /404.html in every location block on every website, or is there a way to do this globally? Commented Jan 13, 2017 at 14:01
  • nginx.com/blog/creating-nginx-rewrite-rules The try_files directive Like the return and rewrite directives, the try_files directive is placed in a server or location block. As parameters, it takes a list of one or more files and directories and a final URI: try_files file … uri; Commented Jan 13, 2017 at 14:17

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.