Nginx Code Execution due to Misconfiguration
Impact: High
Description
Misconfigurations in Nginx, particularly with PHP FPM (FastCGI Process Manager), can lead to a critical security vulnerability. Attackers can exploit this misconfiguration by appending /.php
to the end of any file URL, allowing them to execute arbitrary PHP code on the server.
Recommendation
To mitigate this risk, modify your PHP FPM configurations in Nginx as follows:
location ~ [^/]\.php$ {
...
}
Ensure that the location directive includes [^/]
before \.php
to restrict access and prevent unauthorized execution of PHP scripts.
References
👉 You might also like:
Nginx Version Disclosure - Vulnerability
Apache Version Disclosure - Vulnerability
No Redirection from HTTP to HTTPS - Vulnerability
Server Version Disclosure - Vulnerability
Last updated on May 13, 2024