nginx 0.7 <= 0.7.65
nginx 0.8 <= 0.8.37
漏洞描述:Possible Arbitrary Code Execution with Null Bytes, PHP, and Old Versions of nginx
In vulnerable versions of nginx, null bytes are allowed in URIs by default (their presence is indicated via a variable named zero_in_uri defined in ngx_http_request.h).
Individual modules have the ability to opt-out of handling URIs with null bytes. However, not all of them do; in particular, the FastCGI module does not.
1.The attack itself is simple: a malicious user who makes a request to http：//example.com/file.ext%00.php causes file.ext to be parsed as PHP.
3. If an attacker can control the contents of a file served up by nginx (ie: using an avatar upload form) the result is arbitrary code execution. This vulnerability can not be mitigated by nginx configuration settings like try_files or PHP configuration settings like cgi.fix_pathinfo: the only defense is to upgrade to a newer version of nginx or to explicitly block potentially malicious requests to directories containing user-controlled content.