Nginx Code Execution due to Misconfiguration
Impact: High
Description
A misconfigured Nginx with PHP FPM (FastCGI Process Manager) allows an attacker to forward any file to PHP FPM by adding /.php
at the end of the file.
Recommendation
Change your PHP FPM configurations in Nginx to be something like below:
location ~ [^/]\.php$ {
...
}
Notice the [^/]
before \.php
in the location directive
References
👉 You might also like:
Nginx Version Disclosure - Vulnerability
Auto Complete Enabled Password Input - Vulnerability
Password Sent in HTTP Query - Vulnerability
Password Sent in Query - Vulnerability
Last updated on February 07, 2022