PHP Bug Allows RCE on NGINX Servers
upstart writes:
Submitted via IRC for Fnord666
PHP Bug Allows RCE on NGINX Servers
A buffer underflow bug in PHP could allow remote code-execution (RCE) on targeted NGINX servers.
First discovered during a hCorem Capture the Flag competition in September, the bug (CVE-2019-11043) exists in the FastCGI directive used in some PHP implementations on NGINX servers, according to researchers at Wallarm.
PHP powers about 30 percent of modern websites, including popular web platforms like WordPress and Drupal - but NGINX servers are only vulnerable if they have PHP-FPM enabled (a non-default optimization feature that allows servers to execute scripts faster). The issue is patched in PHP versions 7.3.11, 7.2.24 and 7.1.33, which were released last week.
In a Monday posting, Wallarm researchers said that the bug can be exploited by sending specially crafted packets to the server by using the "fastcgi_split_path" directive in the NGINX configuration file. That file is configured to process user data, such as a URL. If an attacker creates a special URL that includes a "%0a" (newline) byte, the server will send back more data than it should, which confuses the FastCGI mechanism.
"In particular, [the bug can be exploited] in a fastcgi_split_path directive and a regexp trick with newlines," according to Wallarm security researcher Andrew Danau, who found the bug. "Because of %0a character, NGINX will set an empty value to this variable, and fastcgi+PHP will not expect this....[as a result], it's possible to put [in] arbitrary FastCGI variables, like PHP_VALUE."
Read more of this story at SoylentNews.