nginx-related manual security fault

[Katsuro]

In XenForo 2.x manual, where nginx webserver configuration described, there's a potential security fault related to php scripts:

Friendly URLs | Manual | XenForo

End-user documentation for XenForo

xenforo.com

With this setup, every visitor still can execute any php scripts behind protected folders, like src, internal_data, etc
All protected routes need to have ^~ at the beginning of path, so the final version should look like this:

location ^~ /xf/install/data/ {
    internal;
}

location ^~ /xf/install/templates/ {
    internal;
}

location ^~ /xf/internal_data/ {
    internal;
}

location ^~ /xf/library/ { #legacy
    internal;
}

location ^~ /xf/src/ {
    internal;
}

location /xf/ {
    try_files $uri $uri/ /xf/index.php?$uri&$args;
    index index.php index.html;
}

location ~ \.php$ {
    try_files $uri =404;
    fastcgi_pass    127.0.0.1:9000;
    fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include         fastcgi_params;
}

This should be fixed asap avoid any problems in the future. Note that it's fixed in official XenForo community: here
Not sure where to publish this issue, so there it is

Reference:

Configuring nginx to return a 404 when a URL matches a pattern

I want nginx to return a 404 code when it receives a request which matches a pattern, e.g., /test/*. How can I configure nginx to do that?

stackoverflow.com

 

[Chris D]

Thanks for reporting this.

We have made these changes live in the manual.

For the avoidance of doubt, a bunch of XenForo Cloud configuration was actually derived from our production environment here so, like this site, XenForo Cloud was also not susceptible to this.