Overview

Recently, security researchers have published a vulnerability in php-fpm (CVE-2019-11043) that could lead to remote code execution in certain Nginx configurations.

The vulnerability exists in the file sapi/fpm/fpm/fpm_main.c (https://github.com/php/php-src/blob/master/sapi/fpm/fpm/fpm_main.c#L1140), which assumes the prefix of env_path_info Equal to the path of the php script, but in fact the code does not check if this assumption is met, and the lack of this check will invalidate the pointer in the “path_info” variable. In some Nginx configurations, an attacker can use a line break (encoded at %0a) to destroy the regexp in the `fastcgi_split_path_info` directive, which can cause a null PATH_INFO, which triggers the vulnerability. (more…)