|
|
|
|
|
|
by cnst
2424 days ago
|
|
|
Well, for what it's worth, I think the best practice was always to test the existence of the PHP script, either with `try_files`, or with `if`, so, if you do that, then you aren't vulnerable, according to the exploit. E.g., if you follow the "PHP FastCGI Example" from nginx.com, then nginx would protect you from this vulnerability in PHP-FPM: * http://web.archive.org/web/20150928021324/https://www.nginx.... Here's the current version of the page, which seems to have the same info as the archived one above: * https://www.nginx.com/resources/wiki/start/topics/examples/p... (I think it used to be at another URL prior to the involvement of the marketing department in 2015; not sure if it's worth finding at this point, because the bug is not even in nginx in the first place.) |
|
|