A recently patched vulnerability in newer versions of the PHP programming language is being exploited in the wild. The remote code execution (RCE) bug could allow an attacker to take over NGINX servers.
A security researcher “neex” submitted the RCE bug in PHP 7 (CVE-2019-11043) to the PHP team on September 26, 2019. He then published proof-of-concept (PoC) exploit code on GitHub.
Fortunately, only NGINX servers with PHP-FPM enabled are vulnerable. A remote web user could trigger the bug to get code execution for certain PHP-FPM configurations.
The issue was originally discovered by researcher Andrew Danau of security firm Wallarm during a Capture The Flag (CTF) competition this September. In a blog post, Wallarm described how Danau found unusual PHP script behavior after sending %0a (newline) byte in the URL.
To help mitigate these types of attacks, webmasters can configure their web app firewalls (WAF) to filter %0a/%0d bytes in URLs.
System administrators should also update their systems as soon as possible to the latest PHP 7.1.33, 7.2.24 or 7.3.11 releases, given the simplicity to exploit and public PoC.