Urgent security issue in NGINX/php-fpm

I got hit by this also, I’m not sure whether SCRIPTFILENAME and PATHINFO are valid anywhere?

I think it might just be a mistake in the blog post?

e.g. https://docs.nextcloud.com/server/17/admin_manual/installation/nginx.html?highlight=nginx has underscores.

1 Like

I think this kind of news should be sticky at least few days. Can you do it? @system

What about Nextcloud installed via Ubuntu snaps?
Did it got all required updates to its nginx automatically?


Here’s more updates since this news thread was opened.

1 Like

I run a fully-refreshed snap on Ubuntu 16.04. Version information is installed: 16.0.5snap2 (16402) 228MB and I do not see nginx running at all. That leads me to believe the version of php-fpm (which is installed) is not a problem.

Services from nextcloud snap:

$ sudo snap services nextcloud
Service                    Startup  Current   Notes
nextcloud.apache           enabled  active    -
nextcloud.mdns-publisher   enabled  active    -
nextcloud.mysql            enabled  active    -
nextcloud.nextcloud-cron   enabled  active    -
nextcloud.nextcloud-fixer  enabled  inactive  -
nextcloud.php-fpm          enabled  active    -
nextcloud.redis-server     enabled  active    -
nextcloud.renew-certs      enabled  active    -
1 Like

Nextcloud-Snap comes with Apache and not with nginx, so you should be safe:

1 Like

I’m just wondering (but could be an idiotic thought): are users really safe just because they run apache? I mean, the bug was actually in PHP (not nginx) in combination with php-fpm. Doesn’t apache use php-fpm as well?

As said, just wondering. Could be a totally mislead thought.

1 Like

WARNING to everybody with nginx version: nginx/1.10.3 (Debian stretch latest)

The directive or cgi_parameter SCRIPTFILENAME will render your nextcloud website blank.
change it to SCRIPT_FILENAME


Are both “Immediate actions” required to be secure? My upstream distribution does not have updated packages available currently.

I am relying on this statement from the initial post:

1 Like

Is Nginx (under Plesk) with the directives set from this guide affected?

I corrected the article now regarding SCRIPTFILENAME vs. SCRIPT_FILENAME and PATHINFO vs. PATH_INFO. Also I pinned it globally.

1 Like

Oh - you can edit the first post? Could you please also add what Meiros posted?

The was another change in the nginx-config, which didn‘t make it in the initial post. It would be great, if you could add that as well, since many people might not notice the other change.

1 Like

I actually didn’t want to mess with the official post, but I think you are right. If users already modify their config, it should be done right.

So @all please, check your config again, there has been a little change in the first post!


i see two added lines:

set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;

Edit: Oh, Bernie_O already mentioned that in the post above. My bad

@Schmu Please also update the official blog post. Having two different versions might be a bit confusing.

1 Like


Sorry, I’m not an official and don’t have access to the blog.
I only jumped in to help forum users to directly pick the latest config changes. We have to wait for @system to do so.

1 Like

Please remove the typo ^^



I’m running Nginx on a raspberry pi as a reverse proxy. And on another raspberry pi NextcloudPi. Would it effect me as well?

Asking because i don’t even have ’ rewrite ^ /index.php$request_uri ’ under location…