Blog

PHP-FPM Vulnerability (CVE-2019-11043) can lead to Remote Code Execution on nginx

Tags: LinuxPHp-FPMVulnerabilities

Published on: October 29, 2019 by Nidhin George

PHP-FPM Vulnerability (CVE-2019-11043) can lead to Remote Code Execution on nginx

Scenario:

A vulnerability (CVE-2019-11043) was identified which could affect websites running under nginx webserver with PHP-FPM enabled.

On October 22, a security researcher has tweeted regarding a freshly patched remote code execution vulnerability in PHP-FPM which exposed the bug .

You can find the GitHub repository which provides the proof of concept (PoC) for the vulnerability.

Client

According to the PoC available in GitHub, a webserver running the below configuration is considered vulnerable.

location ~ [^/]\.php(/|$) {
...
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass php:9000;
...
}

A website in considered vulnerable under the below conditions

  • ngnix forwards the php page requests to php-fpm
  • The fastcgi_split_path_info directive must be and includes a regular expression beginning with a ‘^’ symbol and ending with a ‘$’ symbol
  • PATH_INFO variable assignment and SCRIPT_FILENAME is defined with fastcgi_param directive
  • No file existence checks like $uri =404 or if (-f $uri) to determine whether a file exists or not

Solutions:

To fix the vulnerability, PHP 7.3.11 and PHP 7.2.24 were released, the servers running nginx and PHP-FPM are advised to update the PHP versions to latest patched ones available.

Site owners who are unable to update the PHP running under the server can overcome the issue by adding a rule within the standard PHP mod_security firewall. You can find the instructions to do so here: https://lab.wallarm.com/php-remote-code-execution-0-day-discovered-in-real-world-ctf-exercise

Category : Linux, nginx, PHP, Vulnerabilities

Nidhin George

Nidhin George

Nidhin has started his career as a Linux System Administrator since 2013 and holds vast experience in server administration, CMS management and cPanel systems. Apart from this he's a movie buff and have a huge collection of movies.

You may also read:

Comments

Add new commentSIGN IN

Let's Connect

Get new updates

Categories

$0.000 items