I. Overview

An important PHP remote code execution vulnerability ((CVE-2019-11043) has been officially disclosed recently. In certain Nginx + PHP-FPM configurations, there is a logic bug, which can be exploited by an attacker to implement an RCE attack. Currently, the POC of this vulnerability has been disclosed and the risk is high.

Reference links:

https://bugs.php.net/bug.php?id=78599

https://github.com/neex/phuip-fpizdam/

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Vulnerability Screening

If the following two conditions are met, the system is affected by the vulnerability:

1. Both PHP-FPM and Nginx servers are used, and PHP-FPM is enabled (disabled by default).

2. The Nginx configuration file contains the following content:

location ~ [^/].php(/|$) {

        fastcgi_split_path_info ^(.+?.php)(/.*)$;

        fastcgi_param PATH_INFO       $fastcgi_path_info;

        fastcgi_pass   php:9000;

        ...

  }

}

IV. Solutions

Delete the risky Nginx configuration or suspend the Nginx + PHP-FPM environment without affecting services.

The built-in policy of the HUAWEI CLOUD WAF service supports the protection against this vulnerability. If you are a WAF user, you only need to confirm that the interception mode is enabled.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.