For people who wants to protect their server from this attack, i suggest this:
sed -i '/try_files $fastcgi_script_name =404;/d' /etc/nginx/conf.d/*/*.conf
sed -i '/fastcgi_split_path_info/a try_files $fastcgi_script_name =404;' /etc/nginx/conf.d/*/*.conf
service nginx reload
EDIT: it might break some apps (about libreto app it’s sure)