back to website

Werk #13322: Limit executable php scripts to NagVis files

Component Site management
Title Limit executable php scripts to NagVis files
Date Dec 12, 2021
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.1.0b1 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

Previously the web server was able to execute .php files from all locations that are callable by the user. With this change, we now limit the execution of php files to the paths we need in the default installation for NagVis.

Please note: In case you intentionally installed php files in your site to access them through the site web server, you may now need to extend your sites web server configuration to make it work again as before.

For example, if you installed one file to var/www/my_script.php, you can make it usable again with the following configuration etc/apache/conf.d/my_script.conf:

<Location "/[site_id]/my_script.php">
  Options +ExecCGI
</Location>

To the list of all Werks

The Checkmk logo (formerly known as Check_MK) is a trademark of Checkmk GmbH. ©2025 Checkmk GmbH. All rights reserved.

Join our hybrid Monitoring Community event from May 20-22 in Munich and learn more about the latest Checkmk features and our roadmap at the Checkmk Conference #11

Register now