(CVE-2019-11043) NGINX + PHP-FPM - Vulnerability in PHP7 exposes sites to remote hacking risk
Posted: Sun Oct 27, 2019 10:47 am
Vulnerability in PHP7 exposes sites to remote hacking risk
The problem only applies to NGINX servers with PHP-FPM enabled.
image
A dangerous vulnerability (CVE-2019-11043) has been identified in the PHP 7 branch, which allows attackers to execute commands on the server using a specially generated URL.
According to experts, the bug is already actively used in attacks. The process of its operation is quite simple, besides the problem is compounded by the fact that earlier this week on the portal GitHub was posted PoC-code to identify vulnerable servers. As explained by experts, finding a vulnerable server, " an attacker can send specially formed requests, adding '?a=' in the URL".
It is noted that the problem applies exclusively to NGINX servers with PHP-FPM (a software package for processing scripts in PHP) enabled. Vulnerable configurations are nginx, where the probros in PHP-FPM is carried out with the separation of parts of the URL using "fastcgi_split_path_info" and the definition of the environment variable PATH_INFO, but without first checking the existence of the file Directive "try_files $fastcgi_script_name" or the construction " if (!-f $document_root$fastcgi_script_name)". Example of vulnerable configuration:
"With a specially crafted URL, an attacker can achieve a path_info pointer offset by the first byte of the _fcgi_data_seg structure. Writing a zero to this byte will move the pointer 'char* pos` to a previously running memory area, called by the FCGI_PUTENV trace overwrites some data (including other cgi AST variables)," the vulnerability description States. With this technique, an attacker can create a dummy variable PHP_VALUE fcgi and achieve code execution.
The developers released a patch for this vulnerability last Friday, October 25. All users are strongly encouraged to upgrade to the latest versions of PHP 7.3.11 and PHP 7.2.24.
https://www.securitylab.ru/news/502087.php
PS: Powerdown, snapshot, update, test... every week...
is vestacp affected?
will a simple update resolve the problem?
for CentOS7 updating to php 7.3 worked for me
hostnamectl
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 5.1.X
Architecture: x86-64
like this:
https://www.tecmint.com/install-php-7-in-centos-7/
The problem only applies to NGINX servers with PHP-FPM enabled.
image
A dangerous vulnerability (CVE-2019-11043) has been identified in the PHP 7 branch, which allows attackers to execute commands on the server using a specially generated URL.
According to experts, the bug is already actively used in attacks. The process of its operation is quite simple, besides the problem is compounded by the fact that earlier this week on the portal GitHub was posted PoC-code to identify vulnerable servers. As explained by experts, finding a vulnerable server, " an attacker can send specially formed requests, adding '?a=' in the URL".
It is noted that the problem applies exclusively to NGINX servers with PHP-FPM (a software package for processing scripts in PHP) enabled. Vulnerable configurations are nginx, where the probros in PHP-FPM is carried out with the separation of parts of the URL using "fastcgi_split_path_info" and the definition of the environment variable PATH_INFO, but without first checking the existence of the file Directive "try_files $fastcgi_script_name" or the construction " if (!-f $document_root$fastcgi_script_name)". Example of vulnerable configuration:
"With a specially crafted URL, an attacker can achieve a path_info pointer offset by the first byte of the _fcgi_data_seg structure. Writing a zero to this byte will move the pointer 'char* pos` to a previously running memory area, called by the FCGI_PUTENV trace overwrites some data (including other cgi AST variables)," the vulnerability description States. With this technique, an attacker can create a dummy variable PHP_VALUE fcgi and achieve code execution.
The developers released a patch for this vulnerability last Friday, October 25. All users are strongly encouraged to upgrade to the latest versions of PHP 7.3.11 and PHP 7.2.24.
https://www.securitylab.ru/news/502087.php
PS: Powerdown, snapshot, update, test... every week...
is vestacp affected?
will a simple update resolve the problem?
for CentOS7 updating to php 7.3 worked for me
hostnamectl
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 5.1.X
Architecture: x86-64
like this:
https://www.tecmint.com/install-php-7-in-centos-7/