Shopware & NGINX - Remote Code Execution via File Uploads

Disable execution of PHP in the Shopware public directories

In some Shopware 6 extensions there are upload implementations that realize file uploads in public directories of Shopware. Shopware does not ensure in the standard configuration that no PHP scripts can be executed in these directories. For this reason, the following directive should also be implemented when using NGINX:


# Block .php .git .htaccess .env files in public folders
location ~ ^/(media|thumbnail|theme|bundles|sitemap).*\.(php|git|htaccess|env)$ {
    deny all;
}


This directive blocks the execution of .php, .git, .htaccess and .env files in the public directories media, thumbnail, theme, bundes and sitemap.


Shopware documentation

https://developer.shopware.com/docs/v6.4/resources/references/config-reference/server/nginx.html

Similar articles
On this page
Emergency?
In urgent cases, our emergency hotline is available around the clock at +49 2507 900 80 - 34.