[Warning Notice] php-fpm Remote Code Execution Vulnerability (CVE-2019-11043)

Enterprise 2023-07-01 07:55:54 views: null

Write custom directory title here

review

Recently, foreign security researchers announced a vulnerability (CVE-2019-11043) in php-fpm, which may lead to remote code execution in some specific Nginx configurations.

The vulnerability exists in the file sapi/fpm/fpm/fpm_main.c (https://github.com/php/php-src/blob/master/sapi/fpm/fpm/fpm_main.c#L1140), which assumes the prefix of env_path_info is equal to the path of the php script, but actually the code does not check that this assumption is met, the absence of which would result in an invalid pointer in the "path_info" variable. When in some Nginx configurations, an attacker can use a newline character (encoded as %0a) to corrupt fastcgi_split_path_infothe regexp in the directive, and the corrupted regexp will result in an empty PATH_INFO, thus triggering the vulnerability.

It is understood that this vulnerability was accidentally discovered by researcher Andrew Danau during a CTF competition. When he sent %0a to the server URL, the server returned an exception. After in-depth research, this vulnerability was discovered.

Reference link:
https://lab.wallarm.com/php-remote-code-execution-0-day-discovered-in-real-world-ctf-exercise/

Affected version

In the nginx + php-fpm environment, use the following nginx configuration, all PHP 7+ versions are affected (PHP 7.0, PHP 7.1, PHP 7.2, PHP 7.3), and it can also cause crashes on PHP 5.6.
The specific nginx configuration is as follows:

     location ~ [^/]\.php(/|$) {
          fastcgi_split_path_info ^(.+?\.php)(/.*)$;
          fastcgi_param PATH_INFO         $fastcgi_path_info;
          fastcgi_pass   php:9000;
          ...
  }
}

safety advice

1. The PHP official has released a patch on October 12th. For details, please refer to the link. It is recommended that affected users upgrade to fix it.
2. Check the nginx configuration. If there is any vulnerable configuration above, it is recommended to delete it

fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_param PATH_INFO       $fastcgi_path_info;

Reference link:
https://bugs.php.net/patch-display.php?bug_id=78599&patch=0001-Fix-bug-78599-env_path_info-underflow-can-lead-to-RC.patch&revision=latest

Guess you like

Origin blog.csdn.net/zjj1898/article/details/102822011
Recommended
The United States plans to restrict the export of large AI models to China and Russia
Apple to reach agreement with OpenAI to bring ChatGPT to iPhone
Ranking
whisper-webui installation tutorial is silky and easy to use
[Base] Laravel concepts laravel basis, the custom service provider: Contracts, ServiceContainer, ServiceProvider, Facades relations
Import torchvision error problem solving DLL: module not found
observer & watch & notify = pub & sub
A small turntable program [HTML + CSS + JS]
CorelDRAW 2018 shortcuts Daquan
Supervise el botón de menú para lograr un gatillo de presión prolongada
JS将时间秒转换成天小时分钟秒的字符串
RIP basic configuration
[Deleted] solution to a problem a few questions (Noip1994)
Daily
More
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)

Code World

© 2018 codetd.com