Description
Misconfigurations in Nginx, particularly with PHP FPM (FastCGI Process Manager), can lead to a critical security vulnerability. Attackers can exploit this misconfiguration by appending /.php to the end of any file URL, allowing them to execute arbitrary PHP code on the server.
Recommendation
To mitigate this risk, modify your PHP FPM configurations in Nginx as follows:
location ~ [^/]\.php$ {
...
}
Ensure that the location directive includes [^/] before \.php to restrict access and prevent unauthorized execution of PHP scripts.