Discover Centmin Mod today
Register Now

PHP Security PHP 7.3.11, 7.2.24, 7.1.33 Release for RCE Security Vulnerability

Discussion in 'Nginx and PHP-FPM news & discussions' started by eva2000, Oct 27, 2019.

  1. eva2000

    eva2000 Administrator Staff Member

    42,078
    9,497
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,613
    Local Time:
    4:26 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    This is a dedicated discussion thread for PHP Remote Code Execution CVE-2019-11043 security vulnerability announced at PHP 7.3.11, 7.2.24 & 7.1.33 Security Updates + Backported PHP 7.0.33 & 5.6.40. You should update to PHP 7.3.11, 7.2.24 or 7.1.33 ASAP or if on 7.0.33 or 5.6.40 EOL versions, update to 123.09beta01 latest version and run cmupdate command and then run centmin.sh menu option 5 to recompile EOL PHP 7.0.33 or 5.6.40 for backported fixes I made for this security flaw.

    Here's some links with further info
    According to the Hackernews article, you MAY not be vulnerable as Centmin Mod's default Nginx and PHP-FPM configuration in /usr/local/nginx/conf/php.conf include files uses a if check for if the requested file exists or not.
    Code (Text):
    location ~ [^/]\.php(/|$) {
      include /usr/local/nginx/conf/503include-only.conf;
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        if (!-f $document_root$fastcgi_script_name) {
            return 404;
        }
    

    However, I wouldn't rely on just this to protect you and just upgrade to a fixed PHP version as soon as possible either, PHP 7.3.11, 7.2.24, 7.1.33 or one of the backported fixed EOL PHP versions 7.0.33 or 5.6.40 if you're on Centmin Mod 123.09beta01.

    Updating PHP Instructions



    For Centmin Mod, PHP update instructions are outlined at PHP 7.3.11, 7.2.24 & 7.1.33 Security Updates + Backported PHP 7.0.33 & 5.6.40
     
    • Like Like x 4
  2. Jon Snow

    Jon Snow Active Member

    447
    66
    28
    Jun 30, 2017
    Ratings:
    +104
    Local Time:
    2:26 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    Was about to ask about this when I first saw it in the other thread but thanks for mentioning it in the post.
     
    • Like Like x 1
  3. eva2000

    eva2000 Administrator Staff Member

    42,078
    9,497
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,613
    Local Time:
    4:26 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Yeah the PoC exploit released tested on Centmin Mod 123.09beta01 pre-fixed versions will return status 404 not vulnerable and after fixed PHP versions will return status 403 and not vulnerable :)
     
  4. eva2000

    eva2000 Administrator Staff Member

    42,078
    9,497
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,613
    Local Time:
    4:26 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    • Like Like x 2
  5. rdan

    rdan Well-Known Member

    4,715
    1,138
    113
    May 25, 2014
    Ratings:
    +1,693
    Local Time:
    2:26 AM
    Mainline
    10.2
    Why use?
    Code:
    if (!-f $document_root$fastcgi_script_name) {
            return 404;
        }
    Instead of:
    Code:
    try_files  $uri =404;
     
  6. eva2000

    eva2000 Administrator Staff Member

    42,078
    9,497
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,613
    Local Time:
    4:26 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Does the same thing but you can try the try_files method and see as well.