With this PHP bug even a school kid could take control of your servers

Web application security specialists report the finding of a security vulnerability in the PHP programming language. This is one of the most used resources on the Internet, as it is the cornerstone of content management systems (such as WordPress and Drupal), as well as of some web applications, such as Facebook.

The latest iteration of this web development language, PHP 7, presents a remote code execution (RCE) vulnerability of considerable seriousness, as stated by Emil Lerner, a researcher based in Russian territory.

According to the web application security expert, if exploited, the CVE-2019-11043 vulnerability would allow a threat actor to force the execution of his own arbitrary code on a remote server by simply accessing a URL specifically created for this purpose. “A hacker would only require adding the characters ‘?a’ to the targeted website address, in addition to the malicious payload,” the expert, also known as ‘Neex’, mentions.

Moreover, a report published on the specialized platform ZDNet mentions that this flaw makes it ridiculously easy to compromise the security of a website, since even a user without hacking knowledge relatively close to some basic concepts could exploit it. However, not all of them are bad news, as web application security experts mention that the vulnerability only seems to affect deployments that use the NGINX web server with PHP-FPM extension, an updated version of FastCGI.

Although none of these components are critical to using PHP 7, their use remains very common, especially in commercial environments. For example, productivity software vendor NextCloud uses PHP 7 with NGINX and PHP-FPM. The company’s customers have been alerted, and were asked to install the latest PHP version update as soon as possible.

In case website administrators are unable to update their PHP implementations, web application security experts from the International Institute of Cyber Security (IICS) recommend setting a rule in the PHP mod_security standard of their firewall.

The presence of this vulnerability is a highly serious fact, as there are multiple environments at risk and its exploitation a little complex process. Furthermore, while there are workarounds and security patches, this does not mean that the risk of exploitation is fully mitigated. A clear example of this is the OpenSSL Heartbleed vulnerability, because although more than two years have passed since its detection, hundreds of thousands of servers remain vulnerable to exploitation.

As if that weren’t enough, the evidence collected so far suggests that threat actors have already exploited this vulnerability in the wild, targeting a specific group of organizations, so it is vital that website administrators implement all possible mitigation measures.