PHP Bug Allows Remote Code-Execution on NGINX Servers

A PHP based website running on NGINX Server is vulnerable to a buffer underflow bug which could allow Remote Code Execution. The bug exists in the FastCGI directive used in some PHP implementations on NGINX servers, according to researchers at Wallarm. The vulnerability affects websites running on NGINX web servers enabled with the Hypertext Preprocessor FastCGI Process Manager (PHP-FPM). The vulnerability is related to a lack of checks on the configurations of NGINX and PHP-FPM which can lead to RCE.

PHP-FPM is an alternative implementation of FastCGI (a way to execute scripts faster) with additional features especially for high-traffic sites. While PHP-FPM isn’t a core component in NGINX installs, web hosting providers often include it in their PHP environments.

CVE ID: CVE-2019-11043

If the exploitation is successful, this attack can lead to RCE. it can allow hackers and threat actors to take over a PHP-written or supported web application and its web server. This leverages attackers to steal, delete, add, or overwrite content, infuse them with malware, or use them as doorways into other systems or servers connected to it. The impact could be pervasive as PHP is the framework for many popular websites and web applications, including popular content management systems WordPress and Drupal.

Working of the vulnerability:

Wallarm researchers stated that that the bug can be exploited by sending specially crafted packets to the server by using the “fastcgi_split_path” directive in the NGINX configuration file. That file is configured to process user data, such as a URL. If an attacker creates a special URL that includes a “%0a” (newline) byte, the server will send back more data than it should, which confuses the FastCGI mechanism. Another security researcher participating in the CTF exercise, Emil Lerner, provided more details in the PHP bug tracker: “The regexp in `fastcgi_split_path_info` directive can be broken using the newline character (in encoded form, %0a). Broken regexp leads to empty PATH_INFO, which triggers the bug,” he said.



A website is vulnerable if:

  • NGINX is configured to forward PHP pages requests to PHP-FPM processor,
  • fastcgi_split_path_info directive is present in the configuration and includes a regular expression beginning with a '^' symbol and ending with a '$' symbol,
  • PATH_INFO variable is defined with fastcgi_param directive,
  • There are no checks like try_files $uri =404 or if (-f $uri) to determine whether a file exists or not.

The vulnerable NGINX and PHP-FPM configuration looks like the following example:

Here, the fastcgi_split_path_info directive is used to split the URL of PHP web pages into two parts, the value of one help PHP-FPM engine to learn the script name and the other one contains its path info.

Remediation: Administrators and IT teams using NGINX with PHP-FPM are recommended to update their PHP to their latest or stable versions (7.2.24 or 7.3.11)

Admins can also  identify vulnerable FastCGI directives in their NGINX configurations with a bash command, “egrep -Rin –color ‘fastcgi_split_path’ /etc/nginx/,” according to Wallarm.