PHP Security PHP 7.3.11, 7.2.24, 7.1.33 Release for RCE Security Vulnerability

This is a dedicated discussion thread for PHP Remote Code Execution CVE-2019-11043 security vulnerability announced at PHP 7.3.11, 7.2.24 & 7.1.33 Security Updates + Backported PHP 7.0.33 & 5.6.40. You should update to PHP 7.3.11, 7.2.24 or 7.1.33 ASAP or if on 7.0.33 or 5.6.40 EOL versions, update to 123.09beta01 latest version and run cmupdate command and then run centmin.sh menu option 5 to recompile EOL PHP 7.0.33 or 5.6.40 for backported fixes I made for this security flaw.

Here's some links with further info

• PHP :: Sec Bug #78599 :: env_path_info underflow in fpm_main.c can lead to RCE
• New PHP Flaw Could Let Attackers Hack Sites Running On Nginx Servers (thanks @pamamolf )

According to the Hackernews article, you MAY not be vulnerable as Centmin Mod's default Nginx and PHP-FPM configuration in /usr/local/nginx/conf/php.conf include files uses a if check for if the requested file exists or not.

Code (Text):

location ~ [^/]\.php(/|$) {
  include /usr/local/nginx/conf/503include-only.conf;
    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
    if (!-f $document_root$fastcgi_script_name) {
        return 404;
    }

However, I wouldn't rely on just this to protect you and just upgrade to a fixed PHP version as soon as possible either, PHP 7.3.11, 7.2.24, 7.1.33 or one of the backported fixed EOL PHP versions 7.0.33 or 5.6.40 if you're on Centmin Mod 123.09beta01.

Updating PHP Instructions

For Centmin Mod, PHP update instructions are outlined at PHP 7.3.11, 7.2.24 & 7.1.33 Security Updates + Backported PHP 7.0.33 & 5.6.40

 

Yeah the PoC exploit released tested on Centmin Mod 123.09beta01 pre-fixed versions will return status 404 not vulnerable and after fixed PHP versions will return status 403 and not vulnerable

 

Nginx folks have published an article for this as well Addressing the PHP-FPM Vulnerability (CVE-2019-11043) with NGINX - NGINX

 

Does the same thing but you can try the try_files method and see as well.