Trackbacks
 |
 |
 |
今天nginx漏出php-fcgi解析漏洞后,一时间沸沸扬扬,一些高手也出了相应的解决方法,汇总比较如下:
1.
if ( $fastcgi_script_name ~ .*\.(png|jpg|gif|bmp|PNG|JPG|GIF|BMP)\/.*php ) {
return 404;
}
本人针对漏洞的解决方法!
【2010-5-21 20:03】修改补充:
dennis大侠提出:
还有第一个解决方法 如果是rar的怎么办? 那个和文件后缀的关系不大
我早上测试的文件名字是.kpg的也一样可以针对后缀名不确定的元素我修改为(测试通过,可以加入到enable_php5.conf顶部,多虚拟主机启用):
if ( $fastcgi_script_name ~ .*\.([0-9a-zA-Z]+)\/.*\.php ) {
return 404;
}
附上我的enable_php5.conf配置:
if ( $fastcgi_script_name ~ .*\.([0-9a-zA-Z]+)\/.*\.php ) {
return 404;
}
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
2.
if (!-e $request_filename) {
rewrite .* http://www.yanghengfei.com/index.php;
}
已经可以实现防止漏洞的效果,但是如果你的网站是康盛的程序或者其他开源程序需要开启rewrite伪静态的程序,那么就会出现rewrite伪静态后的静态页面全部访问你设置的页面!
3.
if ( $fastcgi_script_name ~ \..*\/.*php ) {
return 403;
}
有重写的同学,慎用通杀
4.
设置php.ini的cgi.fix_pathinfo为0,重启php。最方便,但修改设置的可能对你网站有影响!是比较鲁莽的做法!
补充
【2010-5-21 21:27】
张宴的方法:
本人再提供一种修改nginx.conf配置文件的临时解决方法,兼容“http://blog.s135.com/demo/0day/phpinfo.php/test”的PATH_INFO伪静态,拒绝“http://blog.s135.com/demo/0day/phpinfo.jpg/test.php”的漏洞攻击:
location ~* .*\.php($|/){
if ($request_filename ~* .*\.php$) {
set $is_path_info '0';
}
if (-e $request_filename) {
set $is_path_info '1';
}
if ($is_path_info ~ '0') {
return 403;
}
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fcgi.conf;
}
也可将以下内容写在fcgi.conf文件中,便于多个虚拟主机引用:
if ($request_filename ~* .*\.(php|php5)$) {
set $is_path_info '0';
}
if (-e $request_filename) {
set $is_path_info '1';
}
if ($is_path_info ~ '0') {
return 403;
}
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $uri;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
