A remote code execution vulnerability in PHP7, tracked as CVE-2019-11043, has been exploited in attacks in the wild.
On October 22, the security expert Omar Ganiev announced via Twitter the availability of a “freshly patched” remote code execution vulnerability in PHP-FPM, the FastCGI Process Manager (FPM) for PHP.
The researchers also shared a link to the
The CVE-2019-11043 flaw doesn’t request specific skills to be exploited and take over servers, it is an env_path_info underflow flaw in PHP-FPM’s fpm_main
The flaw was first reported to the PHP bug-tracker by security expert Emil Lerner on September 26, 2019 that also credited the researcher Andrew Danau for the issue.
Lerner explained that the vulnerability could be exploited to gain remote code execution under certain configurations where a web server is using
“The PoC script included in the GitHub repository can query a target web server to identify whether or not it is vulnerable by sending specially crafted requests.” reads the analysis published by Tenable. “Once a vulnerable target has been identified, attackers can send specially crafted requests by appending “?a=” in the URL to a vulnerable web server.”
On October 24, PHP maintainers released PHP 7.3.11 (current stable) and PHP 7.2.24 (old stable) that addressed the CVE-2019-11043 vulnerability. Administrators using
The maintainers also suggested a workaround that consists in either by including the try_files directive or using an if statement, such as if (-f $