CVE-2019-11043 is an env_path_info underflow flaw in PHP-FPM’s fpm_main.c. The vulnerability was first reported to the PHP bug-tracker by security researcher Emil Lerner on September 26, 2019. Lerner also credits Andrew Danau, a security researcher at Wallarm, who identified the “anomaly” during a Capture The Flag competition in September 2019, and Ganiev for helping to finalize the php.ini options for the PoC.
What’s vulnerable
If a webserver runs Nginx + PHP-FPM and Nginx have a configuration like
location ~ [^/]\.php(/|$) {
...
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass php:9000;
...
}which also lacks any script existence checks (like try_files), then you are probably vulnerable.
The full list of preconditions
- Nginx + PHP-FPM, location ~ [^/]\.php(/|$) must be forwarded to PHP-FPM.
- The
fastcgi_split_path_infodirective must be there and contain a regexp starting with^and ending with$, so we can break it with a newline character. - There must be a
PATH_INFOvariable assignment via statementfastcgi_param PATH_INFO $fastcgi_path_info;. Note that it isn’t always present in thefastcgi_paramsfile. - No file existence checks like
try_files $uri =404orif (-f $uri). If Nginx drops requests to non-existing scripts before FastCGI forwarding, the code execution can’t be triggered. Adding this is also the easiest way to patch. - The bug itself is present in earlier versions.
Fixes
Newest released PHP 7.1.33, 7.2.24, 7.3.11 fixed the bug, users are encouraged to upgrade to one these versions.