Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Networking PHP Bug

Nasty PHP7 Remote Code Execution Bug Exploited in the Wild on NGINX Servers (zdnet.com) 16

nickwinlund77 shares this story from ZDNet: A recently patched security flaw in modern versions of the PHP programming language is being exploited in the wild to take over servers, ZDNet has learned from threat intelligence firm Bad Packets. The vulnerability is a remote code execution (RCE) in PHP 7, the newer branch of PHP, the most common programming language used to build websites.

The issue, tracked as CVE-2019-11043, lets attackers run commands on servers just by accessing a specially-crafted URL. Exploiting the bug is trivial, and public proof-of-concept exploit code has been published on GitHub earlier this week. Only NGINX servers with PHP-FPM enabled are vulnerable. PHP-FPM, or FastCGI Process Manager, is an alternative PHP FastCGI implementation with some additional features, and according to reports, a common server configuration option.

This discussion has been archived. No new comments can be posted.

Nasty PHP7 Remote Code Execution Bug Exploited in the Wild on NGINX Servers

Comments Filter:
  • by QuietLagoon ( 813062 ) on Sunday October 27, 2019 @11:56AM (#59352706)
    According to the zdnet.com article:

    One such case is web hosting provider Nextcloud, who issued a security advisory to its clients on Thursday, October 24, urging customers to update PHP to the latest release, versions 7.3.11 and 7.2.24, which had been released on the same day and included fixes for CVE-2019-11043.

    • That's ok, anyone who is good at programming stopped using PHP a long time ago due to all the insecure php libraries. Unfortunately a lot of of those developers failed to update their projects before jumping ship.So maybe they are not good at programming after all.
  • Uhm, the NFL is on right now... is that why this Must-fix-business-software story not getting a reaction here?

    • by godrik ( 1287354 )

      Alternatively, slashdot is not as relevant as it used to be.
      The site was even unreachable for hours yesterday.
      I wonder how long it will take until netcraft confirms slashdot demise.

    • Re: Repeat on Monday (Score:5, Informative)

      by bill_mcgonigle ( 4333 ) * on Sunday October 27, 2019 @01:50PM (#59352978) Homepage Journal

      You need to be using nginx, php_fpm, and have a config using fastcgi_split_path_info, at least for today.

      The recommend workaround is to find every instance of:
      location ~ \.php(/|$) {
      where fastcgi_split_path_info is used and prepend the location directive with:
      rewrite ^(.*?)\n $1; #Fix CVE-2019-11043 (THIS LINE!!!)
      to take newline characters out of URI's and get back to football until patches arrive.

      no preview on mobile ... hope that's legible...

      • by gaspyy ( 514539 )

        There's already a patch, released on Oct. 24.

        • You're assuming that PHP developers and/or the mugs who they sell their software too are actually smart enough to patch their systems. If they are really that smart, why would they be using php?
          • *slow claps* Beautiful use of "begging the question" logical fallacy. This doesn't mean I disagree with you in general - I think using PHP is probably a bad idea in general. However, my employer does not, and I do not have the say-so to argue with him about it. I do, however, have the duty of making sure my employer's systems are as tight as I can make them. Ergo, I suppose I am smart enough to patch our PHP systems but not smart enough to explain to my boss why PHP was a terrible idea in the first place? H
  • by TFlan91 ( 2615727 ) on Sunday October 27, 2019 @01:17PM (#59352902)

    I think this is even more concerning:

    The buffer underflow in php-fpm is present in PHP version 5. However, this exploit makes use of an optimization used for storing FastCGI variables, _fcgi_data_seg. This optimization is present only in php 7, so this particular exploit works only for php 7. There might be another exploitation technique that works in php 5.

    Bug exists in PHP 5, but no one has found a way to utilize it yet.

    PHP 5 is going to live on the web for as long as the web lives...

    • PHP 5 is going to live on the web for as long as the web lives...

      Certainly for as long as RHEL/CentOS 7 lives, at a minimum...

      • And you can thank SystemD for forcing server admins in using CentOS6/RH 6 with php 5 since systems can't be reliable with anything newer

        • Any EL6/EL7 admin needing php should be using suported versions in the remi repos. Also redhat should backport a fix, even to versions unsupported in upstream, because thats what the do. Stable APIs, security patches for the life of the OS.
    • I haven't touched NGINX and php-fpm since 2013, but I still can't say enough nice things about that combo. It was rocket fuel!

      Yeah, I can see how PHP 5 is going to stick around for as long as it can. I don't miss the update drama/lottery with any of those components one bit. It was almost like most code was destined to break at some point after an update.
  • According to the bug report:

    The regexp in `fastcgi_split_path_info` directive can be broken using the newline character (in encoded form, %0a). Broken regexp leads to empty PATH_INFO, which triggers the bug.

    According to NGINX documentation:

    If the directive is specified with if_not_empty (1.1.11) then such a parameter will be passed to the server only if its value is not empty:

    So this line in your configuration should prevent the problem in older versions of NGINX:

    fastcgi_param PATH_INFO $fastcgi_path_in

Whoever dies with the most toys wins.

Working...