Results 1 to 3 of 3

Thread: New vulnerability!! Warning

  1. #1

    Default New vulnerability!! Warning

    Not inside AIHS but with AIHS+PHP+NGINX.
    (my server had this vulnerability)

    Try on your server.

    Usage to check:
    1. upload image i have attached here to you server
    2. try to open it (ex: site.com/upload/eb394cd11.gif and then use prefix /.php) so the link become site.com/upload/eb394cd11.gif/.php

    If phpinfo information opens - you have this vulnerability.

    Now how to fix it:
    1) add in php.ini

    Code:
    cgi.fix_pathinfo=0
    2) or less adviced method add to nginx.conf

    Code:
    location ~ \.php$ {
    if ( -f $request_filename ) {
    fastcgi_pass unix:/tmp/php-fpm.sock;
    }
    fastcgi_index index.php;
    fastcgi_param script_FILENAME /scripts$fastcgi_script_name;
    include fastcgi_params;
    }
    Attached Images Attached Images

  2. #2

    Default

    hi xavior for aih nginx url rewrite You know what?

    and this problem?: http://www.ressim.net/l/upload/2872f5c8.gif/.php

  3. #3

    Default

    Sorry cant see not displaying.

    NEW(old) VULNERABILITY


    Previous was about eb394cd11.gif/.php

    Now it's with eb394cd11.gif%00.php

    In fact /. is the same as %00

    I've just have been hacked for a second time...

    VULNERABILITY IN NGINX SERVER

Similar Threads

  1. Replies: 4
    Last Post: 07-13-2009, 02:29 PM
  2. [AIH v2.2] Warning: copy(upload/)
    By QATARSPEED in forum Troubleshooting And Problems
    Replies: 1
    Last Post: 05-10-2009, 09:10 PM
  3. Keep show me 500 internal server error!
    By toyou in forum Customer Reviews
    Replies: 6
    Last Post: 12-16-2008, 01:47 PM
  4. Warning by Uploading a File
    By sb in forum MFHS v1.1
    Replies: 1
    Last Post: 10-26-2006, 04:16 PM
  5. Warning: mysql_escape_string()
    By stdio in forum MFHS v1.1
    Replies: 1
    Last Post: 06-19-2006, 05:20 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •