- |
If nginx and php-fpm share the same filesystem, one can first check the script actually exists, so the malicious request will never make it to php-fpm (it is usually done using something like `try_files $uri =404`). Or there may be cgi.fix_pathinfo=0 which will also prevent exploitation. |
+ |
If nginx and php-fpm share the same filesystem, one can first check the |
+ |
script actually exists, so the malicious request will never make it to |
+ |
php-fpm (it is usually done using something like `try_files $uri |
+ |
=404`). Or there may be cgi.fix_pathinfo=0 which will also prevent |
+ |
exploitation. |