PHP 'CVE-2019-11043' FPM Remote Code Execution Vulnerability (Version Check)

PHP is prone to a remote code execution vulnerability in certain nginx + php-fpm configurations.

The file sapi/fpm/fpm/fpm_main.c contains pointer arithmetic that assumes that env_path_info has a prefix equal to the path to the php script. However, the code does not check this assumption is satisfied. The absence of the check can lead to an invalid pointer in the 'path_info' variable. Such conditions can be achieved in a pretty standard Nginx configuration. The regexp in `fastcgi_split_path_info` directive can be broken using the newline character (in encoded form, %0a). Broken regexp leads to empty PATH_INFO, which triggers the bug.

PHP versions before 7.1.33, 7.2.x before 7.2.24 and 7.3.x before 7.3.11.

Checks if a vulnerable version is present on the target host.

Update to version 7.1.33, 7.2.24, 7.3.11 or later. As an alternative a workaround to update the nginx configuration to mitigate this vulnerability is described at the PHP.net bugtracker linked in the references.