FAQ

Page Discussion History

Difference between revisions of "MyBB"

(Added link to enabling human-friendly URLs)
 
 
Line 30: Line 30:
 
}
 
}
 
</geshi>
 
</geshi>
 +
 +
There is a potential security flaw, e.g. if a user uploads an avatar images pic.gif with valid PHP-Code and calls it with /uploades/avatars/pic.gif/foo.php. The issue is discussed [http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP here]. Because the link is ending with .php, nginx is passing it to the PHP interpreter. PHP can't find the file /uploades/avatars/pic.gif/foo.php, but it tries to be smart and executes /uploades/avatars/pic.gif as an PHP-script. To avoid this, you need to set cgi.fix_pathinfo=0 in your php.ini, which is set to cgi.fix_pathinfo=1 as default (unfortunately).
  
 
See [[PHPFcgiExample]] for details on creating the UNIX socket and [http://community.mybb.com/thread-51764.html this forum post] on enabling human-understandable (aka SEO-friendly or human-readable) URLs using the Google SEO plugin.
 
See [[PHPFcgiExample]] for details on creating the UNIX socket and [http://community.mybb.com/thread-51764.html this forum post] on enabling human-understandable (aka SEO-friendly or human-readable) URLs using the Google SEO plugin.

Latest revision as of 19:31, 1 April 2012

Here is a basic configuration file, which works great as of MyBB 1.6.3.

server {
    server_name quantifiedselfforum.com;
 
    access_log logs/qsforum.access;
    error_log logs/qsforum.error error;
 
    root /var/www/qsforum;
 
    location / {
        index index.php;
    }
 
    # Deny access to internal files.
    location ~ /(inc|uploads/avatars) {
        deny all;
    }
 
    # Pass the php scripts to fastcgi server
    location ~ \.php$ {
        fastcgi_pass unix:/tmp/php.socket;
        # Necessary for php.
        fastcgi_param SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        # Unmodified fastcgi_params from nginx distribution.
        include fastcgi_params;
    }
 
}

There is a potential security flaw, e.g. if a user uploads an avatar images pic.gif with valid PHP-Code and calls it with /uploades/avatars/pic.gif/foo.php. The issue is discussed here. Because the link is ending with .php, nginx is passing it to the PHP interpreter. PHP can't find the file /uploades/avatars/pic.gif/foo.php, but it tries to be smart and executes /uploades/avatars/pic.gif as an PHP-script. To avoid this, you need to set cgi.fix_pathinfo=0 in your php.ini, which is set to cgi.fix_pathinfo=1 as default (unfortunately).

See PHPFcgiExample for details on creating the UNIX socket and this forum post on enabling human-understandable (aka SEO-friendly or human-readable) URLs using the Google SEO plugin.