Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to fix the loophole of uploading pictures on the website based on nginx+php". Interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn "how to fix the loophole in uploading pictures on a website based on nginx+php".

Websites built using nginx+php may be hacked as long as they are allowed to upload pictures, until the early morning of May 21, nginx has not released a patch to fix this vulnerability; some websites have been hacked, administrators quickly fix it!

Domestic top security team 80sec issued a vulnerability notice about nginx at 6: 00 p.m. on May 20. Due to the existence of this vulnerability, websites built using nginx+php may be hacked as long as they are allowed to upload pictures. Until the early morning of May 21, nginx has not yet released a patch to fix the vulnerability; some websites have been hacked, administrators quickly fix it!

According to Netcraft, as of April 2010, there were 13 million servers running nginx around the world; a very conservative estimate is that at least 6 million of them are running nginx with php support enabled; and a conservative estimate continues to be that one of them, or 1 million servers, allows users to upload pictures. There is a picture and a truth.

Yes, again, due to nginx vulnerabilities, these 1 million servers may be easily implanted into Trojans by hackers by uploading pictures. The process of planting a Trojan horse is also very simple, that is, the Trojan horse is changed into a picture to upload, because the harm is very great, let's not talk about the details.

Having said so much, I think everyone is curious about 80sec, the top security team. Let's give a brief introduction to vegetarian steamed buns.

The 80sec team is composed of a group of young, energetic, energetic, passionate and creative unmarried dota men who are engaged in information security work in major Internet companies. Their slogan is know it then hack it. Vegetarian steamed stuffed bun agrees with this view: "as long as we are very familiar with something, it is possible to objectively find its shortcomings, while we can also find the advantages of it."

The following is a description of their great achievements. They have found loopholes in IIS, IE, FireFox, Maxthon, window of the World, PHPWind, DeDeCMS, QQ mail, QuarkMail, EXTMail and other software.

Now that we have introduced 80sec, we have to introduce another top security team, 80vul, which is very focused on WEB security, which is also made up of post-80s boys' shoes (post-90s say they are under a lot of pressure: P). They have also found a large number of WEB APP security vulnerabilities, such as IE, Gmail, wordpress, PHPWind, DISCUZ, MYBB and so on.

It is said that hackers are already on the move; security personnel, system managers, take action to fix this vulnerability quickly; it is best not to take chances, otherwise your website may be the next one to be hacked. According to the description of the 80sec Security Bulletin, the temporary fix method is as follows, one of 3.

1. Set the cgi.fix_pathinfo of php.ini to 0, and restart php. It is most convenient, but the impact of changing the settings needs to be assessed by yourself.

2. Add the following to the vhost configuration of nginx, and restart nginx. It is also convenient when there is less vhost.

If ($fastcgi_script_name ~\. *\ /. * php) {

Return 403

}

3. It is forbidden to upload directories to interpret PHP programs. There is no need to use webserver. If there are more vhost and servers, the difficulty will increase sharply in a short period of time. It is recommended to use it when there are few vhost and servers.

At this point, I believe you have a deeper understanding of "how to fix the loophole in uploading pictures on the website based on nginx+php". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.