A recently patched security vulnerability in modern versions of the PHP programming language is being exploited in the wild to take over servers.
The vulnerability is a remote code execution (RCE) in PHP 7, the newer branch of PHP which is the most common programming language used to make websites.
The issue has been dubbed as CVE-2019-11043 and it allows the attackers to run commands on servers just by accessing a specially-crafted URL.
Exploiting the bug is not significant and public proof-of-concept exploit code has been published on GitHub earlier this week.
According to Satnam Narang, Senior Security Response Manager at Tenable, the PoC script included in the GitHub repository can query a target web server to identify whether or not it is vulnerable by sending specially crafted requests. Once a vulnerable target has been identified, attackers can send specially crafted requests by appending ‘?a=’ in the URL to a vulnerable web server.
It is fortunate that all of the PHP-capable web servers were not affected. Only NGINX servers with PHP-FPM enabled are vulnerable. PHP-FPM, or FastCGI Process Manager, is an alternative PHP FastCGI implementation having some additional features.
While PHP-FPM is not a standard component of Nginx installs, some web hosting providers include it as part of their standard PHP hosting environments. As in the case of web hosting provider Nextcloud, they issued a security advisory to its clients urging the users to update PHP to the latest release, versions 7.3.11 and 7.2.24, that was also released on the same day and included fixes for CVE-2019-11043.
Many other web hosting providers are also believed to be running the vulnerable Nginx+PHP-FPM combo.
Similarly there are website owners who cannot update PHP or are unable to switch from PHP-FPM to another CGI processor due to technical constraints.
A blog has been posted by Wallarm, the company that found the PHP7 RCE which includes instructions on how webmasters can use the standard mod_security firewall utility to block %0a (newline) bytes in website URLs, and prevent any incoming attacks. Wallarm rewarded its security researcher Andrew Danau for discovering the flaw.
As the public PoC code is available and it is easy to exploit the bug, all website owners are advised to check server settings and update PHP at the earliest if they run the vulnerable configuration.