Vulnerability description:
Nginx supports PHP parsing in CGI mode by default. The common practice is to set SCRIPT_FILENAME through regular matching in the Nginx configuration file. When accessing the URL http://192.168.1.102/phpinfo.jpg/1.php, $fastcgi_script_name will be set to "phpinfo.jpg/1.php" and then constructed into SCRIPT_FILENAME and passed to PHP CGI. If the fix_pathinfo option is turned on in PHP, PHP will think that SCRIPT_FILENAME is phpinfo.jpg, and 1.php is PATH_INFO, so phpinfo.jpg will be parsed as a PHP file.
Vulnerability hazard:
Improper configuration of WebServer Fastcgi will cause other files (such as css, js, jpg and other static files) to be parsed and executed as php scripts. When the user changes the malicious script webshell into a static file and uploads it to the webserver and passes it to the backend PHP for parsing and execution, the attacker will gain operating permissions on the server.
Repair plan:
(Nginx users can choose option one or option two, IIS users please use option one)
Option 1, modify the php.ini file and set the value of cgi.fix_pathinfo to 0. Please restart PHP and NGINX (IIS) when completed.
Option 2, add the following code in the Nginx configuration file:
Copy code The code is as follows:
if ( $fastcgi_script_name ~ ..*/.*php ) {
return 403;
}
The meaning of this line of code is that when a URL similar to test.jpg/a.php is matched, a 403 error code will be returned. Please restart Nginx after the modification is completed.