How to fix PHP-FPM + Nginx vulnerability issue?

A

Alex2019-10-31 12:40:57

PHP

Alex, 2019-10-31 12:40:57

Actually news: https://www.opennet.ru/opennews/art.shtml?num=51749
My config

location ~ \.php$ {
                limit_req zone=php2zone burst=5 nodelay;
                try_files $uri =404;
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
                fastcgi_index index.php;
                fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
                include fastcgi_params;
    }

Did I understand correctly that try_files $fastcgi_script_name=404 should be added after fastcgi_split_path_info ? or try_files $document_root$fastcgi_script_name=404

Reply

Answer the question

In order to leave comments, you need to log in

5 answer(s)

F

FanatPHP, 2019-10-31
@FanatPHP

This config is invulnerable
What, in fact, is written at the link.

A

Andrey Gavrilov, 2019-10-31
@thexaver

Just update php-fpm

P

profesor08, 2019-10-31
@profesor08

Refresh and forget.

A

ArgosX, 2019-10-31
@ArgosX

in php.ini set cgi.fix_pathinfo=0
And if through nginx then

location ~ \.php$ {
        try_files $fastcgi_script_name =404;
  fastcgi_index			index.php;
  fastcgi_param			script_FILENAME /scripts$fastcgi_script_name;
  include				fastcgi_params;
}

V

Vladislav, 2019-11-28
@Jewish_Cat

I recommend using this site