In all PHP-7 release branches, there is a security vulnerability that allows remote attackers to execute code on vulnerable Web servers under tight conditions (e). According to the discoverer of the gap, however, only NGINX servers are affected, on which the FastCGI process manager PHP-FPM is used. In addition, certain conditions would have to be fulfilled with regard to the server configuration.
As evidenced by the PHP 7 changelog, the PHP development team closed the void with the CVE-2019-11043 in versions 7.1.33, 7.2.24, and 7.3.11 released last week. A speedy update is advisable – especially given the fact that GitHub’s already well-documented proof-of-concept code is available, making it easy to attack the gap.
Details of the gap CVE-2019-11043 can be found among others the PHP Bugtracker entry of their discoverer (Sec Bug # 78599). In addition, security software manufacturer Tenable has summarized the additional requirements under which NGINX servers with vulnerable PHP versions are vulnerable in a blog entry.
Update 28.10.19, 22:38: Content correction: In the original version of this message, PHP-FPM was erroneously called a PHP interpreter. (Ovw)
Which PHP-based websites are vulnerable to hackers?
Though the publicly released PoC exploit is designed to specifically target vulnerable servers running PHP 7+ versions, the PHP-FPM underflow bug also affects earlier PHP versions and could be weaponized in a different way.
In brief, a website is vulnerable, if:
- NGINX is configured to forward PHP pages requests to PHP-FPM processor,
- fastcgi_split_path_info directive is present in the configuration and includes a regular expression beginning with a ‘^’ symbol and ending with a ‘$’ symbol,
- PATH_INFO variable is defined with fastcgi_param directive,
- There are no checks like try_files $uri =404 or if (-f $uri) to determine whether a file exists or not.
This vulnerable NGINX and PHP-FPM configuration looks like the following example:
Here, the fastcgi_split_path_info directive is used to split the URL of PHP web pages into two parts, the value of one help PHP-FPM engine to learn the script name and the other one contains its path info.