Nasty PHP7 remote code execution bug exploited in the wild>
ZD Net – Catalin Cimpanu
Exploiting the bug is trivial, and public proof-of-concept exploit code has been published on GitHub earlier this week. “The PoC script included in the GitHub repository can query a target web server to identify whether or not it is vulnerable by sending specially crafted requests,” says Satnam Narang, Senior Security Response Manager at Tenable. “Once a vulnerable target has been identified, attackers can send specially crafted requests by appending ‘?a=’ in the URL to a vulnerable web server.” Fortunately, not all PHP-capable web servers are impacted. Only NGINX servers with PHP-FPM enabled are vulnerable. PHP-FPM, or FastCGI Process Manager, is an alternative PHP FastCGI implementation with some additional features. This blog post from Wallarm, the company that found the PHP7 RCE, includes instructions on how webmasters can use the standard mod_security firewall utility to block %0a (newline) bytes in website URLs, and prevent any incoming attacks. Due to the availability of public PoC code and the simplicity of exploiting this bug, website owners are advised to check server settings and update PHP as soon as possible if they run the vulnerable configuration.
Link: https://www.zdnet.com/article/nasty-php7-remote-code-execution-bug-exploited-in-the-wild/