PHP is relatively old. But still, it underpins most part of the web.
The web programming language powers WordPress and Drupal, as well as many other content management systems. It is also used on Facebook and other sophisticated web platforms. For this reason, a bug can translate to big troubles.
As discovered by Emil ‘Neex’ Lerner, the Russia-based security researcher disclosed that PHP 7 has a remote-Code execution Vulnerability (RCE), which would allow hackers to execute their own arbitrary code by simply accessing a crafted URL.
On Neex's public proof-of-concept exploit code that has been published on GitHub. it's explained that hackers willing to attack PHP 7-powered websites can just add ?a= to the target website address, followed by their payload.
The command is so simple that it significantly lowers the barrier of entry for hacking. The simplicity also means that non-technical hacker could abuse it.
Fortunately, the vulnerability (CVE-ID of 2019-11043) only impacts NGINX web server with the PHP-FPM extension enabled. PHP-FPM, or FastCGI Process Manager, is an alternative PHP FastCGI implementation with some additional features.
However, while PHP-FPM is not a standard component of NGINX installs, some web hosting providers include it as default. What this means, the vulnerability is common, particularly in commercial hosting environments.
Due to the availability of public proof-of-concept code and the simplicity of exploiting this bug, website owners are advised to check server settings and update PHP as soon as possible if their site is vulnerable.
If they do, website owners are urged to update their PHP install to mitigate the problem by blocking the %0a (newline) bytes in URLs.
And for those who can't switch from PHP-FPM to another CGI processor due to technical constraints, a blog post from Wallarm suggests that web owners can set a rule within the standard PHP
mod_security firewall, like:
The trivially simple way for attackers to exploit the vulnerability poses huge problem, especially because many websites on the web are built using PHP.
While patches and workarounds exist, not all web owners are aware or willing to keep up with the trends of technology. In other words, not everyone is particularly proactive with their security.
One instance that is the most notable, is the Heartbleed OpenSSL bug. Years after the bug was disclosed and patched, over 200,000 servers remained vulnerable.
Threat intelligence firm BadPackets confirmed to ZDNet that bad actors are already utilizing this vulnerability to attack servers.