Security breach with the standard NGINX configuration

  • Hello,


    My website use the default NGINX config with a website running with Perch 3.1.5 and PHP 7.2.24. Here is the NGINX conf :

    location / {

    try_files $uri $uri/;

    }


    The problem appears when the user uses this type of URL :

    https://www.example.com/my-rea…fake_folder/fake_page.php


    In this case, the NGINX server interprets the script "my-real-page.php" and Perch, which is active on this page, uses the variable $_SERVER['SCRIPT_NAME'] to find out what to do.


    Since $_SERVER['SCRIPT_NAME'] contains "/my-real-page.php/fake_folder/fake_page.php" and not only "/my-real-page.php", then Perch will create a new page "fake_page".


    To avoid this problem, I add a PHP script in your runtime.php to wash the $_SERVER['SCRIPT_NAME'] and remove everything after the first ".php".


    Do you know this bad behaviour ?
    Do you have a fix for the NGINX config ?


    Thanks in adavance

  • drewm

    Approved the thread.