Description

A critical security issue was reported on servers that run Nginx and PHP via FastCGI. This issue may allow attackers to execute their own PHP code on the system.The problem is not caused by nginx itself, it's related with the PHP option cgi.fix_pathinfo. When this option is enabled, PHP will rewrite SCRIPT_FILENAME and PATH_INFO parameters. When combined with Nginx, this turns into a security issue.

Remediation

set cgi.fix_pathinfo = 0 in php.ini

or

configure nginx using the code below:

if ( $fastcgi_script_name ~ \..*\/.*php ) {
return 403;
}

References

Nginx & PHP via FastCGI important security issue

Related Vulnerabilities

MySQL CVE-2017-3652 Vulnerability (CVE-2017-3652)

Drupal Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-2153)

ASP.NET MVC Improper Input Validation Vulnerability (CVE-2017-0256)

MediaWiki Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2013-1817)

MediaWiki Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2022-29903)

Severity

High

Classification

CWE-94 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Arbitrary File Creation Code Execution Configuration Known Vulnerabilities