A vulnerability (CVE-2019-11043) was identified which could affect websites running under nginx webserver with PHP-FPM enabled.
On October 22, a security researcher has tweeted regarding a freshly patched remote code execution vulnerability in PHP-FPM which exposed the bug .
You can find the GitHub repository which provides the proof of concept (PoC) for the vulnerability.
According to the PoC available in GitHub, a webserver running the below configuration is considered vulnerable.
location ~ [^/]\.php(/|$) {
...
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass php:9000;
...
}
A website in considered vulnerable under the below conditions
- ngnix forwards the php page requests to php-fpm
- The fastcgi_split_path_info directive must be and includes a regular expression beginning with a ‘^’ symbol and ending with a ‘$’ symbol
- PATH_INFO variable assignment and SCRIPT_FILENAME is defined with fastcgi_param directive
- No file existence checks like $uri =404 or if (-f $uri) to determine whether a file exists or not
Solutions:
To fix the vulnerability, PHP 7.3.11 and PHP 7.2.24 were released, the servers running nginx and PHP-FPM are advised to update the PHP versions to latest patched ones available.
Site owners who are unable to update the PHP running under the server can overcome the issue by adding a rule within the standard PHP mod_security firewall. You can find the instructions to do so here: https://lab.wallarm.com/php-remote-code-execution-0-day-discovered-in-real-world-ctf-exercise
