Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:49184
Return-Path: <tyra3l@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 66123 invoked from network); 30 Jul 2010 08:08:55 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 30 Jul 2010 08:08:55 -0000
Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass; domainkeys=bad
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.42 as permitted sender)
DomainKey-Status: bad
X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01
X-PHP-List-Original-Sender: tyra3l@gmail.com
X-Host-Fingerprint: 209.85.214.42 mail-bw0-f42.google.com  
Received: from [209.85.214.42] ([209.85.214.42:38314] helo=mail-bw0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id A9/42-53454-598825C4 for <internals@lists.php.net>; Fri, 30 Jul 2010 04:08:54 -0400
Received: by bwz11 with SMTP id 11so738157bwz.29
        for <internals@lists.php.net>; Fri, 30 Jul 2010 01:08:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:received:sender:received
         :in-reply-to:references:date:x-google-sender-auth:message-id:subject
         :from:cc:content-type:content-transfer-encoding;
        bh=M235UAK1CekJjn/PtJ/brQCTueTzWBuY2m4QXn5HG6Y=;
        b=djPJfOlS6pDvJw5+IqWA1QjeqlD8BCtKkdidgRly+K6khUUGhC6UesUqjKURi/h29M
         UrBiwl0m/iaPO2joIYg/yXtrFDBBEMewsnOJ6+76jbpCR+6PwNWfRkI2ltWAI6qEQRpQ
         BX4mvUAs/hwRmyDBDkz4F93janKSLamAQWpaM=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:sender:in-reply-to:references:date
         :x-google-sender-auth:message-id:subject:from:cc:content-type
         :content-transfer-encoding;
        b=DMhUM1oJJzSxLwj+cTVg8XlqDNe7NNbfaHGvvG8GKlpn1iJbXPsbS51Uw6Gyl5Hti8
         J6/RG+XVbanCd3inq4RMOH1u5u8BRBEJkt+tcpw8gh1hwCsp05WOCGprDyGOel78N73F
         d0VbixCPKLNUl9WxD5vN6JQy79tTCYY5UDqcA=
MIME-Version: 1.0
Received: by 10.204.127.65 with SMTP id f1mr911799bks.55.1280477330870; Fri, 
	30 Jul 2010 01:08:50 -0700 (PDT)
Sender: tyra3l@gmail.com
Received: by 10.204.99.201 with HTTP; Fri, 30 Jul 2010 01:08:50 -0700 (PDT)
In-Reply-To: <AANLkTilL41OH2VVm4pbVPMZgwGZhUCre1scmQk2-0TJs@mail.gmail.com>
References: <AANLkTilL41OH2VVm4pbVPMZgwGZhUCre1scmQk2-0TJs@mail.gmail.com>
Date: Fri, 30 Jul 2010 10:08:50 +0200
X-Google-Sender-Auth: OZ2-SvbFNnXm5bChJib7kJQt1u4
Message-ID: <AANLkTim6p2=qJWiiqW13hS=+R5vMj=c+Vai9LCSEEtUr@mail.gmail.com>
Cc: php-dev <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] nginx + php-fcgi : 0day exploit ?
From: info@tyrael.hu (Ferenc Kovacs)

2010/5/21 J=C3=A9r=C3=B4me Loyet <jerome@loyet.net>:
> Hi guys,
>
> On the nginx mailing list, there is an interesting conversation about
> the usage of php through fastcgi with nginx which can cause a security
> hole:
> http://forum.nginx.org/read.php?2,88845
>
> I don't really know the origin of the fix_pathinfo ini variable. So I
> don't know if it's really a bug or a mis-configuration.
>
> What do you think ?
>
> ++ Jerome
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

bump.

Tyrael