PHP is a programming language that is present across a large segment of the internet. It is fundamental for a variety of content management systems, among which we can count Drupal and WordPress while also playing an important role in the proper functioning of advanced web applications.
A Russian security researcher uncovered a remote code execution vulnerability that affects PHP 7, the latest version of the programming language.
By using this vulnerability, which, under the name of CVE 2that019-11043 an attacker can force a web server to execute custom code by accessing a custom URL. The key to the exploit is to add the ?a= and the custom payload to the address. The exploit is so easy to use that even a person without in-depth programming experience could run malicious code quite easily.
The severity of the issue is limited by the fact that the exploit runs only on NGINX web servers which uses the PHP-FPM extension. PHP-FPM is an enhanced version of FastCGI, and it is a popular solution in the case of high-traffic websites.
These components are not mandatory for the use of PHP 7, but they tend to be present quite often, especially in the case of commercial enterprises. For example, NextCloud, which is a popular provider of productivity software, uses PHP7 paired with NGINX and PHP-FPM. Clients have already received an email notification that encourages them to download the latest PHP install patch.
Those who cannot update the PHP install can minimize the risk by establishing a rule with the help of the PHP mod_security firewall. Several tutorials can use on the internet, and the procedure can be performed without problems.
The vulnerability is already looking, the perfect nexus of a massive security incident. Exploits which are so easy to use tend to be quite popular and some targets are even more vulnerable due to lax cybersecurity guidelines.