Nasty PHP7 Remote Code Execution Bug Exploited in the Wild on NGINX Servers (zdnet.com) 16
nickwinlund77 shares this story from ZDNet:
A recently patched security flaw in modern versions of the PHP programming language is being exploited in the wild to take over servers, ZDNet has learned from threat intelligence firm Bad Packets. The vulnerability is a remote code execution (RCE) in PHP 7, the newer branch of PHP, the most common programming language used to build websites.
The issue, tracked as CVE-2019-11043, lets attackers run commands on servers just by accessing a specially-crafted URL. Exploiting the bug is trivial, and public proof-of-concept exploit code has been published on GitHub earlier this week. Only NGINX servers with PHP-FPM enabled are vulnerable. PHP-FPM, or FastCGI Process Manager, is an alternative PHP FastCGI implementation with some additional features, and according to reports, a common server configuration option.
The issue, tracked as CVE-2019-11043, lets attackers run commands on servers just by accessing a specially-crafted URL. Exploiting the bug is trivial, and public proof-of-concept exploit code has been published on GitHub earlier this week. Only NGINX servers with PHP-FPM enabled are vulnerable. PHP-FPM, or FastCGI Process Manager, is an alternative PHP FastCGI implementation with some additional features, and according to reports, a common server configuration option.
Fixed on versions... (Score:3)
One such case is web hosting provider Nextcloud, who issued a security advisory to its clients on Thursday, October 24, urging customers to update PHP to the latest release, versions 7.3.11 and 7.2.24, which had been released on the same day and included fixes for CVE-2019-11043.
Re: (Score:1)
Repeat on Monday (Score:1)
Uhm, the NFL is on right now... is that why this Must-fix-business-software story not getting a reaction here?
Re: (Score:2)
Alternatively, slashdot is not as relevant as it used to be.
The site was even unreachable for hours yesterday.
I wonder how long it will take until netcraft confirms slashdot demise.
Re: (Score:2)
This. There just isn't much to say about it. PHP exploit announced, fix released, people who care are mitigating, people who don't.. don't.
Even the people who enjoy trashing PHP for its spotty security record have gotten bored of it.
Re: Repeat on Monday (Score:5, Informative)
You need to be using nginx, php_fpm, and have a config using fastcgi_split_path_info, at least for today.
The recommend workaround is to find every instance of:
location ~ \.php(/|$) {
where fastcgi_split_path_info is used and prepend the location directive with:
rewrite ^(.*?)\n $1; #Fix CVE-2019-11043 (THIS LINE!!!)
to take newline characters out of URI's and get back to football until patches arrive.
no preview on mobile ... hope that's legible...
Re: (Score:2)
There's already a patch, released on Oct. 24.
Re: (Score:1)
Re: (Score:2)
Yikes (Score:3)
I think this is even more concerning:
Bug exists in PHP 5, but no one has found a way to utilize it yet.
PHP 5 is going to live on the web for as long as the web lives...
Re: (Score:3)
PHP 5 is going to live on the web for as long as the web lives...
Certainly for as long as RHEL/CentOS 7 lives, at a minimum...
Re: (Score:2)
And you can thank SystemD for forcing server admins in using CentOS6/RH 6 with php 5 since systems can't be reliable with anything newer
Re: Yikes (Score:1)
Re: Yikes (Score:1)
Yeah, I can see how PHP 5 is going to stick around for as long as it can. I don't miss the update drama/lottery with any of those components one bit. It was almost like most code was destined to break at some point after an update.
Alternative fix for use with stable versions (Score:1)
According to the bug report:
According to NGINX documentation:
So this line in your configuration should prevent the problem in older versions of NGINX:
fastcgi_param PATH_INFO $fastcgi_path_in