WordPress.org

Make WordPress Core

Changes between Initial Version and Version 1 of Ticket #19235, comment 11


Ignore:
Timestamp:
11/11/11 23:49:43 (2 years ago)
Author:
scribu
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #19235, comment 11

    initial v1  
    11Just to add to the discussion, allowing direct access to the files under nginx/php-fpm can allow remote code execution if the server is configured poorly: 
    22 
    3 http://wiki.nginx.org/Pitfalls#Pass_Non-PHP_Requests_to_PHP. 
     3[http://wiki.nginx.org/Pitfalls#Pass_Non-PHP_Requests_to_PHP.] 
    44 
    55Under WordPress 3.2.1, I can upload a file "foo.jpg" that contains PHP, and an attacker could craft a URL that causes PHP to evaluate the contents of this file. There are several ways to protect yourself, and nginx/php-fpm is the less common server setup, but ms-blogs.php offers basic protection if you keep blogs.dir out of the document root. Felt like it should be part of the thread.