Php-fpm vulnerability

PHP developers have issued corrective releases of PHP 7.3.11, 7.1.33, and 7.2.24 that eliminate a critical vulnerability (CVE-2019-11043) in the PHP-FPM (FastCGI Process Manager) extension that allows remote execution of their code on the system. A working exploit is already publicly available to attack servers using PHP-FPM PHP scripts in association with Nginx.

How do I test the server for vulnerability?

It is sufficient to check whether you are using PHP-FPM and the PHP interpreter version for operation. If your PHP version is lower than 7.3.11, 7.1.33, and 7.2.24, your server is vulnerable.

Example of a vulnerable configuration

location ~ [^/]\.php(/|$) {
  fastcgi_split_path_info ^(.+?\.php)(/.*)$;
  fastcgi_param PATH_INFO $fastcgi_path_info;
  fastcgi_pass php:9000;
}

What to do?

The best option is to upgrade PHP to the latest versions, if you have a Redhat-based distribution, you can do it with the command

yum update php

If you use Debian or Ubuntu, the commands to upgrade will be different

apt-get update

apt install php

Unfortunately, not all developers of popular distributions have already released packages with updates.

A workaround is to check whether the requested php script exists after the string "fastcgi_split_path_info" in the nginx configuration, such as

try_files $fastcgi_script_name =404;

Of course, you can always ask our administrators for help, whether your server is vulnerable to vulnerability, and if possible, upgrade, or offer a different solution.


28 October 2019

You may be interested in

16 February 2021
Ways to cheat on the Internet
Which strata of society are the most vulnerable? Of course, women and old people. Often scammers in ...