Nginx Code Execution due to Misconfiguration

Description

Misconfigurations in Nginx, particularly with PHP FPM (FastCGI Process Manager), can lead to a critical security vulnerability. Attackers can exploit this misconfiguration by appending /.php to the end of any file URL, allowing them to execute arbitrary PHP code on the server.

Recommendation

To mitigate this risk, modify your PHP FPM configurations in Nginx as follows:

  location ~ [^/]\.php$ {
    ...
  }

Ensure that the location directive includes [^/] before \.php to restrict access and prevent unauthorized execution of PHP scripts.

References

• CWE-16
• Nginx
• Nginx PHP Configuration for Security
• OWASP 2021-A5