When trying to construct a configuration that does what you expect it to do, you may inadvertently enable something that you did not expect. Take the following configuration block, for example:

location ~* \.php {

  include fastcgi_params;

  fastcgi_pass 127.0.0.1:9000;

}

Here we seem to be passing all requests for the PHP files to the FastCGI server responsible for processing them. This would be OK if PHP only processed the file it was given, but due to differences in how PHP is compiled and configured this may not always be the case. This can become a problem if user uploads are made into the same directory structure that PHP files are in.

Users may be prevented from uploading files with a .php extension but are allowed to upload .jpg, .png, and .gif files. A malicious user could upload an image file with embedded PHP code, and cause the FastCGI server to execute this code by passing a URI with the uploaded filename in it.

To prevent this from happening...