On October 23, 2019, PHP officially released a vulnerability that can cause remote code execution in phP-FPM in the case of improperly configured Nginx. However, due to the openness of the configuration file, please use nginx+ PHP-FPM service administrator/o&M personnel to do a timely self-check.Copy the code[Vulnerability details]
Nginx's fastcgi_split_path_info module handles requests with % 0A. The careless disposal of the newline \n character leaves PATH_INFO empty, leaving a vulnerability in the PATH_INFO processing of the PHP-FPM component that can be exploited by an attacker for code execution attacks. At present, the open source community has vulnerabilities PoC public.Copy the codeNote: Users who copy exactly the phP-FPM sample configuration given by Nginx are affected by this vulnerability
[Code example is as follows]
location ~ [^/]\.php(/|$) { fastcgi_split_path_info ^(.+? \.php)(/.*)$; fastcgi_param PATH_INFO$fastcgi_path_info; fastcgi_pass php:9000; . }}Copy the code[Fix Suggestion] Change the regular expression of the fastcgi_split_path_info file in the nginx configuration file to disallow the use of the nginx+php-fpm service when an unreadable character is passed after.php
Delete the following configurations:
fastcgi_split_path_info ^(.+? .php)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
[Vulnerability Reference]
1) Official update notice: bugs.php.net/bug.php?id=…
2) Introduction to open Source community: github.com/neex/phuip-…
