PHP Flaw Allows Hackers to Control NGINX Servers
A buffer underflow bug in PHP could allow remote code-execution on NGINX servers. The flaw was discovered during a hCorem Capture the Flag competition in September, the bug is in the FastCGI directive used in some PHP implementations on NGINX servers. PHP runs around 30 percent of modern websites, including popular web platforms like WordPress and Drupal. NGINX servers are only vulnerable if they have PHP-FPM enabled which is not the default. PHP-FPM allows servers to execute scripts faster. The flaw has been fixed in PHP versions 7.3.11, 7.2.24 and 7.1.33, which were released last week.
The flaw can be exploited by sending specially crafted packets to the server by using the fastcgi_split_path directive in the NGINX configuration file. The NGINX configuration file is configured to process user data, such as a URL. If a hacker creates a special URL that includes a newline, byte, the server will send back more data than it should, which confuses the FastCGI mechanism. The regexp in fastcgi_split_path_info directive can be broken using the newline character. Broken regexp leads to empty PATH_INFO, which triggers the bug,
This issue can be an entry point into web applications given how easy it is to hack. Admins can identify vulnerable FastCGI directives in the NGINX configurations with a bash command: egrep -Rin –color ‘fastcgi_split_path’ /etc/nginx/. Administrators are advised to install one of the fixed versions of PHP.