Serangan kasebut bisa ditindakake ing konfigurasi nginx sing diterusake menyang PHP-FPM ditindakake kanthi misahake bagean saka URL nggunakake "fastcgi_split_path_info" lan nemtokake variabel lingkungan PATH_INFO, nanging tanpa mriksa dhisik anane file kasebut nggunakake "try_files $fastcgi_script_name" arahan utawa "yen (!-f $) document_root $fastcgi_script_name)". Masalahe uga
lokasi ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^ (. +? \. php) (/.*) $;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass php:9000;
}
Sampeyan bisa nglacak resolusi masalah ing kit distribusi ing kaca iki:
try_files $fastcgi_script_name = 404;
Masalah kasebut disebabake kesalahan nalika manipulasi penunjuk ing file
Yen arahan fastcgi_split_path_info nemtokake pamisah path script nggunakake ekspresi reguler sensitif baris anyar (contone, akeh conto nyaranake nggunakake "^(.+?\.php)(/.*)$"), banjur penyerang bisa njamin yen Nilai kosong ditulis menyang variabel lingkungan PATH_INFO. Ing kasus iki, luwih sadawane eksekusi
Kanthi njaluk URL sing diformat kanthi cara tartamtu, panyerang bisa ngowahi path_info pointer menyang byte pisanan saka struktur "_fcgi_data_seg", lan nulis nol menyang bait iki bakal nyebabake gerakan "char * pos" pointer menyang area memori sing ana sadurunge. Sabanjure sing diarani FCGI_PUTENV bakal nimpa data ing memori iki kanthi nilai sing bisa dikontrol dening panyerang. Memori sing ditemtokake uga nyimpen nilai variabel FastCGI liyane, lan kanthi nulis data kasebut, penyerang bisa nggawe variabel PHP_VALUE fiktif lan entuk eksekusi kode kasebut.
Source: opennet.ru