Nginx Code Execution due to Misconfiguration

Impact: High

Description

A misconfigured Nginx with PHP FPM (FastCGI Process Manager) allows an attacker to forward any file to PHP FPM by adding /.php at the end of the file.

Recommendation

Change your PHP FPM configurations in Nginx to be something like below:

location ~ [^/]\.php$ {
  ...
}

Notice the [^/] before \.php in the location directive

References

Nginx
OWASP 2017-A6
OWASP 2021-A5
CWE-16

👉 You might also like:

Nginx Version Disclosure - Vulnerability

Auto Complete Enabled Password Input - Vulnerability

Password Sent in HTTP Query - Vulnerability

Password Sent in Query - Vulnerability

Last updated on February 07, 2022

Nginx Code Execution due to Misconfiguration

Description

Recommendation

References

This issue is available in SmartScanner Professional