By default, Nginx supports PHP parsing in CGI mode. Generally, SCRIPT_FILENAME is set in the Nginx configuration file through regular expression matching.
When the URL http://192.168.1.103/phpinfo.jpg/1.php is accessed,
$fastcgi_script_name is set to phpinfo.jpg/1.php, which is constructed as SCRIPT_FILENAME and transferred to PHP CGI. If fix_pathinfo is enabled in PHP, PHP considers phpinfo.jpg as SCRIPT_FILENAME while 1.php as PATH_INFO. That is, phpinfo.jpg is parsed as a PHP file.
By exploiting this vulnerability, attackers can parse any type of file as a PHP file. Attackers usually exploit the vulnerability to gain a Webshell.
How to fix
For Nginx and IIS users:
Modify the php.ini file, and set
cgi.fix_pathinfoto 0. Then, restart PHP and Nginx (IIS).
For Nginx users:
Add the following code to the Nginx configuration file. If a URL like test.jpg/a.php is matched, error code 403 is returned.
if ( $fastcgi_script_name ~ ..\/.php )
After you finish the modification, restart Nginx.