Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:48379 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 93648 invoked from network); 21 May 2010 19:58:58 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 May 2010 19:58:58 -0000 Authentication-Results: pb1.pair.com smtp.mail=jerome@loyet.net; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=jerome@loyet.net; sender-id=unknown Received-SPF: error (pb1.pair.com: domain loyet.net from 74.125.82.42 cause and error) X-PHP-List-Original-Sender: jerome@loyet.net X-Host-Fingerprint: 74.125.82.42 mail-ww0-f42.google.com Received: from [74.125.82.42] ([74.125.82.42:49399] helo=mail-ww0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 90/6C-45208-006E6FB4 for ; Fri, 21 May 2010 15:58:57 -0400 Received: by wwi17 with SMTP id 17so894669wwi.29 for ; Fri, 21 May 2010 12:58:54 -0700 (PDT) MIME-Version: 1.0 Received: by 10.216.161.131 with SMTP id w3mr1188966wek.109.1274471933928; Fri, 21 May 2010 12:58:53 -0700 (PDT) Received: by 10.216.10.10 with HTTP; Fri, 21 May 2010 12:58:53 -0700 (PDT) Date: Fri, 21 May 2010 21:58:53 +0200 Message-ID: To: php-dev Content-Type: text/plain; charset=ISO-8859-1 Subject: nginx + php-fcgi : 0day exploit ? From: jerome@loyet.net (=?ISO-8859-1?B?Suly9G1lIExveWV0?=) Hi guys, On the nginx mailing list, there is an interesting conversation about the usage of php through fastcgi with nginx which can cause a security hole: http://forum.nginx.org/read.php?2,88845 I don't really know the origin of the fix_pathinfo ini variable. So I don't know if it's really a bug or a mis-configuration. What do you think ? ++ Jerome