Description
A critical security issue was reported on servers that run Nginx and PHP via FastCGI. This issue may allow attackers to execute their own PHP code on the system.The problem is not caused by nginx itself, it's related with the PHP option cgi.fix_pathinfo. When this option is enabled, PHP will rewrite SCRIPT_FILENAME and PATH_INFO parameters. When combined with Nginx, this turns into a security issue.
Remediation
set cgi.fix_pathinfo = 0 in php.ini
or
configure nginx using the code below:
if ( $fastcgi_script_name ~ \..*\/.*php ) { return 403; }
References
Related Vulnerabilities
Three.js Uncontrolled Resource Consumption Vulnerability (CVE-2020-28496)
FrontAccounting Cross-site Request Forgery (CSRF) Vulnerability (CVE-2018-7176)
Oracle JRE CVE-2013-2383 Vulnerability (CVE-2013-2383)
osCommerce Other Vulnerability (CVE-2004-2638)
PostgreSQL Untrusted Search Path Vulnerability (CVE-2020-10733)