Hackers are using a bug in PHP7 to remotely hijack web servers
The PHP programming language underpins much of the Internet. It forms the
basis of popular content management systems like WordPress and Drupal, as well
as more sophisticated web applications, like Facebook (kinda). Therefore, it’s
a huge deal whenever researchers identify a security vulnerability within it.
PHP development company
PHP development company
A couple of days ago, Emil ‘Neex’ Lerner, a Russia-based security
researcher, disclosed a remote-code execution vulnerability in PHP 7 – the
latest iteration of the hugely popular web development language.
With this vulnerability, which has the CVE-ID of 2019-11043, an attacker
could force a remote web server to execute their own arbitrary code simply by
accessing a crafted URL. The attacker only needs to add “?a=” to the website
address, followed by their payload.
As pointed out by Catalin Cimpanu in ZDNet, this attack drastically
lowers the barrier to entry for hacking a website, simplifying it to the point
where even a non-technical user could abuse it.
Fortunately, the vulnerability only impacts servers using the NGINX web
server with the PHP-FPM extension. PHP-FPM is a souped-up version of FastCGI,
with a few extra features designed for high-traffic websites.
While neither of those components are necessary to use PHP 7, they remain
stubbornly common, particularly in commercial environments. Cimpanu points out
that NextCloud, a large productivity software provider, uses PHP7 with NGINX
and PHP-FPM. It’s since released a security advisory to clients urging them to
update warning them of the issue and imploring them to update their PHP install
to the latest version.
Site owners who are unable to update their PHP install can mitigate the
problem by setting a rule within the standard PHP mod_security firewall.
Instructions on how to do this can be found on the website of appsec startup
Wallarm.
This vulnerability has all the hallmarks of a security perfect storm. Not
only are multiple environments at risk, but it’s also trivially simple for an
attacker to exploit the vulnerability. And while patches and workarounds
currently exist, as we’ve witnessed previously, not everyone is particularly
proactive with their security. Two-and-a-half years after the well-publicized
Heartbleed OpenSSL bug was disclosed, over 200,000 servers remained vulnerable.
And there’s evidence to suggest that hackers are already exploiting this
critical PHP issue. Threat intel firm BadPackets has already confirmed to ZDNet
that bad actors are already using this vulnerability to commandeer servers.
Things are going to get worse before they get better.
Comments