DEV Community

Cover image for Hackers are using a bug in PHP7 to remotely hijack web servers
Paulo Renato
Paulo Renato

Posted on

Hackers are using a bug in PHP7 to remotely hijack web servers

In this article by GBHackers, and on this other one by the TheNextWeb, we can learn that Emil Lerner have disclosed the vulnerability in the PHP bug tracker, and it have been classified has the CVE-2019-11043.

In a nutshell this vulnerability allows an attacker to take control of any server running PHP7 with Nginx and the PHP-FPM extension, just by adding to the url of the website ?a='payload-here, and you can see the proof of concept for a more detailed explanation on how this remote code execution vulnerability is exploitable.


The vulnerability


The vulnerability resides in env_path_info in the file fpm_main.c of the FPM component. The FPM is the php-fpm module used for performance enhancement.

The manipulation of the file leads to memory corruption, chaining with other vulnerabilities allows attackers to remotely execute arbitrary code on web servers with vulnerable configurations.

How can be exploited


With this vulnerability, which has the CVE-ID of 2019-11043, an attacker could force a remote web server to execute their own arbitrary code simply by accessing a crafted URL. The attacker only needs to add “?a=” to the website address, followed by their payload.

Who is affected


Fortunately, the vulnerability only impacts servers using the NGINX web server with the PHP-FPM extension. PHP-FPM is a souped-up version of FastCGI, with a few extra features designed for high-traffic websites.



Following are the mitigations from Nextcloud

  • If you are not using NGINX then this vulnerability will not affect you.
  • Users are recommended to update with the latest versions 7.1.33,7.2.24 & 7.3.11.
  • Recommended removal of $request_uri


Site owners who are unable to update their PHP install can mitigate the problem by setting a rule within the standard PHP mod_security firewall. Instructions on how to do this can be found on the website of appsec startup Wallarm.


Are you gonna take this seriously, and take action or you will just think that only happen to others?


Cover image credit goes for GBHackers.

Top comments (0)