Changes between Initial Version and Version 1 of Ticket #19235, comment 11
- 11/11/11 23:49:43 (18 months ago)
initial v1 1 1 Just to add to the discussion, allowing direct access to the files under nginx/php-fpm can allow remote code execution if the server is configured poorly: 2 2 3 http://wiki.nginx.org/Pitfalls#Pass_Non-PHP_Requests_to_PHP. 3 [http://wiki.nginx.org/Pitfalls#Pass_Non-PHP_Requests_to_PHP.] 4 4 5 5 Under WordPress 3.2.1, I can upload a file "foo.jpg" that contains PHP, and an attacker could craft a URL that causes PHP to evaluate the contents of this file. There are several ways to protect yourself, and nginx/php-fpm is the less common server setup, but ms-blogs.php offers basic protection if you keep blogs.dir out of the document root. Felt like it should be part of the thread.