New PHP Flaw Could Let Attackers Take Over The Sites Running Nginx Server

You’re managing any PHP based website on NGINX server and have PHP-FPM feature authorize for finer performance, then lookout of a newly impart exposure that could allow unofficial attackers to hack your website server removed.

The exposure trace as CVE-2019-11043 affects most of the websites with different designs of PHP-FPM that is apparently not rare and could be easily utilized as a proof of concept testing (POCT) use for the fault has already been let go face to face.

The alternative is PHP-FPM PHP FastCGI execution that offers advanced and highly- well-organized processing for letters written in PHP programming language.

One of the main exposure is an “env_path_info” vulnerability memory alteration issue in the PHP-FPM module and bind it together with other issues that could allow attackers to remove execute random code on at-risk web servers.

Which PHP-based websites are exposure to hackers?

The publicly released PoCT exploits are designed to specifically target at-risk servers running PHP 7+ versions, the PHP-FPM in a different way

  • NGINX is configured to forward PHP pages requests to PHP-FPM processor,
  • fastcgi_split_path_info directive is present in the layout and includes a regular expression starting with a ‘^’ symbol and ending with a ‘$’ symbol,
  • PATH_INFO variable is defined with fastcgi_param order.
  • No checks like try_files $uri =404 or if (-f $uri) to control whether a file present or not.

This at-risk NGINX and PHP-FPM design look like the following example:

nginx php-fpm hacking

Here, the fastcgi_split_path_info direction is used to crack the URL of PHP web pages into two parts, the value of one helps the PHP-FPM drive to learn the script name and the other one carry its path info.

The PHP 7 updates released to patch FPM flaw

The list of prerequisites for performance is not very rare because the exposed layout is being used by some of the web hosting providers and available on the Internet.

One such pretentious web hosting provider is Nextcloud who released an advisory yesterday warning its users that “the default Nextcloud NGINX layout is also at-risk to this attack” and suggest system administrators take on the spot actions.

A pop for this exposure was released just yesterday, almost a month after researchers reported it to the PHP developer team.

Since the PoCT exploit is available and the pop released just yesterday, it’s likely possible that hackers might have already started scanning the Internet in search of at-risk websites.

Users are strongly suggested to update PHP to the latest PHP 7.3.11 and PHP 7.2.24. it, even if you are not using the at-risk layout.

The background, the PoCT use [1 (PHuiP-FPizdaM), 2], in the PHP-FPM layout file of a targeted server, allowing attackers to execute random code using a web-shell.

” By using an alert chosen the length of the URL path and question string, an attacker can make path_info point promoted to the first byte of _fcgi_data_seg structure. Putting zero into it moves `char* pos` field backward, and following FCGI_PUTENV quash some data (including other fast CGI variables) with the script path,” researchers said in a bug report submitted to the PHP project.

“Using this technique, I was able to create a fake PHP_VALUE fcgi variable after that use a chain of chosen config values to get code execution.”

Related post: Cybersecurity Researchers Claim To Find Hidden MSSQL Backdoor Manufactured By The Chinese.


Keep following us for more updates #TeamBugNResearch

Leave a Reply

Your email address will not be published. Required fields are marked *