Attackers Exploiting Bugs in PHP7 to Hijack Web Servers
Last week, Russia-based security researcher Emil ‘Neex Lerner has discovered a remote code execution vulnerability in the PHP bug tracker – classified as the CVE-2019-11043. The vulnerability allows the attackers to gain control of servers running PHP7 with NGINX and the PHP-FPM extension, simply by adding “?a=” to the URL of the website. Evidence shows that this critical PHP issue is being actively exploited by the threat actors.
Reportedly, the vulnerability did not affect all the PHP-capable servers, only NGINX servers with PHP-FPM enabled are exposed to the risk.
The FPM is the PHP-FPM module which is employed for the purpose of performance enhancement and the vulnerability which lets a remote net server to execute its own arbitrary code simply by accessing a specially designed URL, resides in env_path_info in the file fpm_main.c of the FPM component.
PHP (Hypertext pre-processor) is a wide-open source general-purpose scripting language that is used in the development of Static websites, Dynamic websites or web applications. It is one of the most common programming languages used to build websites and is focused on server-side scripting. It forms the basis for content management systems such as WordPress and also (in a way) for more sophisticated applications like Facebook. Therefore, to realize a security vulnerability inside it remains a great deal for security researchers.
Experts believe that this security vulnerability has all the right boxes checked for marking the beginning of a storm in the cybersecurity world, it doesn't only expose to risk multiple environments but also makes it extremely convenient for attackers to exploit the vulnerability. Although one can argue that patches are available for users as a safeguard against the vulnerability, not everyone is equally updated with the workarounds.
The barricades to enter the website for hacking has been radically lowered by this vulnerability, so much so that even people from nontechnical background could potentially abuse it, according to ZDNet.
Satnam Narang, Senior Security Response Manager at Tenable, explains that “The PoC script included in the GitHub repository can query a target webserver to identify whether or not it is vulnerable by sending specially crafted requests,”
“Once a vulnerable target has been identified, attackers can send specially crafted requests by appending ‘?a=' in the URL to a vulnerable web server,” adds Narang.