Php-fpm vulnerability

PHP developers have issued corrective releases of PHP 7.3.11, 7.1.33, and 7.2.24 that eliminate a critical vulnerability (CVE-2019-11043) in the PHP-FPM (FastCGI Process Manager) extension that allows remote execution of their code on the system. A working exploit is already publicly available to attack servers using PHP-FPM PHP scripts in association with Nginx.

How do I test the server for vulnerability?

It is sufficient to check whether you are using PHP-FPM and the PHP interpreter version for operation. If your PHP version is lower than 7.3.11, 7.1.33, and 7.2.24, your server is vulnerable.

Example of a vulnerable configuration

location ~ [^/]\.php(/|$) {
  fastcgi_split_path_info ^(.+?\.php)(/.*)$;
  fastcgi_param PATH_INFO $fastcgi_path_info;
  fastcgi_pass php:9000;

What to do?

The best option is to upgrade PHP to the latest versions, if you have a Redhat-based distribution, you can do it with the command

yum update php

If you use Debian or Ubuntu, the commands to upgrade will be different

apt-get update

apt install php

Unfortunately, not all developers of popular distributions have already released packages with updates.

A workaround is to check whether the requested php script exists after the string "fastcgi_split_path_info" in the nginx configuration, such as

try_files $fastcgi_script_name =404;

Of course, you can always ask our administrators for help, whether your server is vulnerable to vulnerability, and if possible, upgrade, or offer a different solution.

28 October 2019

You may be interested in