edit-icon download-icon

[Vulnerability notice] FastCGI parsing vulnerability

Last Updated: Apr 02, 2018

Vulnerability description

By default, Nginx supports PHP parsing in CGI mode. Generally, SCRIPT_FILENAME is set in the Nginx configuration file through regular expression matching.

When the URL http://192.168.1.103/phpinfo.jpg/1.php is accessed, $fastcgi_script_name is set to phpinfo.jpg/1.php, which is constructed as SCRIPT_FILENAME and transferred to PHP CGI. If fix_pathinfo is enabled in PHP, PHP considers phpinfo.jpg as SCRIPT_FILENAME while 1.php as PATH_INFO. That is, phpinfo.jpg is parsed as a PHP file.

By exploiting this vulnerability, attackers can parse any type of file as a PHP file. Attackers usually exploit the vulnerability to gain a Webshell.

How to fix

  • For Nginx and IIS users:

    Modify the php.ini file, and set cgi.fix_pathinfo to 0. Then, restart PHP and Nginx (IIS).

  • For Nginx users:

    Add the following code to the Nginx configuration file. If a URL like test.jpg/a.php is matched, error code 403 is returned.

    1. if ( $fastcgi_script_name ~ ..\/.php )
    2. {
    3. return 403;
    4. }

    After you finish the modification, restart Nginx.

Thank you! We've received your feedback.