Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Tuesday October 29 2019, @08:55PM   Printer-friendly
from the update-your-versions dept.

Submitted via IRC for Fnord666

PHP Bug Allows RCE on NGINX Servers

A buffer underflow bug in PHP could allow remote code-execution (RCE) on targeted NGINX servers.

First discovered during a hCorem Capture the Flag competition in September, the bug (CVE-2019-11043) exists in the FastCGI directive used in some PHP implementations on NGINX servers, according to researchers at Wallarm.

PHP powers about 30 percent of modern websites, including popular web platforms like WordPress and Drupal – but NGINX servers are only vulnerable if they have PHP-FPM enabled (a non-default optimization feature that allows servers to execute scripts faster). The issue is patched in PHP versions 7.3.11, 7.2.24 and 7.1.33, which were released last week.

In a Monday posting, Wallarm researchers said that the bug can be exploited by sending specially crafted packets to the server by using the “fastcgi_split_path” directive in the NGINX configuration file. That file is configured to process user data, such as a URL. If an attacker creates a special URL that includes a “%0a” (newline) byte, the server will send back more data than it should, which confuses the FastCGI mechanism.

“In particular, [the bug can be exploited] in a fastcgi_split_path directive and a regexp trick with newlines,” according to Wallarm security researcher Andrew Danau, who found the bug. “Because of %0a character, NGINX will set an empty value to this variable, and fastcgi+PHP will not expect this....[as a result], it’s possible to put [in] arbitrary FastCGI variables, like PHP_VALUE.”


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Informative) by rigrig on Wednesday October 30 2019, @12:09AM (1 child)

    by rigrig (5129) Subscriber Badge <soylentnews@tubul.net> on Wednesday October 30 2019, @12:09AM (#913506) Homepage

    Yes, this is only a problem for particular Nginx+PHP-FPM configurations [github.com] (PHP bug report [php.net])

    The reason people use FastCGI is that they want to run Nginx and PHP, as there is no Apache-like PHP module for Nginx, only PHP-FPM.
    The reason people use Nginx instead of Apache is either a careful analysis of the various tradeoffs involved, as both have a bunch of unique benefits (mostly performance vs dynamic configurability), or because they figured all the hip people are switching to Nginx nowadays.

    Disclaimer: I'm using both Nginx and Apache (no FastCGI though), partly because I don't trust apache2-mpm-itk with handling SSL, and partly because stuffing both an Nginx proxy, an Apache server and some dockers into a a $5 vhost seemed like an interesing challenge (well, it was, before even the cheapest option was bumped to 1GB RAM :-p)

    --
    No one remembers the singer.
    Starting Score:    1  point
    Moderation   +2  
       Informative=2, Total=2
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4  
  • (Score: 1, Interesting) by Anonymous Coward on Wednesday October 30 2019, @05:35AM

    by Anonymous Coward on Wednesday October 30 2019, @05:35AM (#913601)

    One can use PHP-FPM with Apache (instead of the Apache PHP module)--and I've used it that way myself in rare cases.

    Also, there are other times PHP-FPM may be used with various HTTP servers. I've seen it used with Hiawatha.

    Now as to whether these other cases are afflicted by this bug in the same manner--I don't know.

    Just do NOT assume that it ONLY affects NGINX with PHP-FPM. I'd suggest you update your PHP installation anywhere you're using PHP-FPM.