Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

PHP-FPM/Nginx Vulnerability – CVE-2019-11043 - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

PHP-FPM/Nginx Vulnerability – CVE-2019-11043

2»

Comments

  • SteveMCSteveMC Member

    angstrom said: Just saw that a company, F5 Networks, acquired NGINX in May

    It definitively convinced me to switch to H2O.

    I switched from Apache to nginx, long ago, because it was consuming way less resources, then, I started to look at other web servers (because you always need to have a Plan B, just in case), and I liked H2O a lot.

  • raindog308raindog308 Administrator, Veteran

    poisson said: Frankly, I never had problems with Apache. It is very stable for most use cases. I don't need a Ferrari to send kids to school; an Audi will do.

    If you chose Apache, you settled for a Chevrolet.

    Thanked by 1Janevski
  • poissonpoisson Member

    @raindog308 said:

    poisson said: Frankly, I never had problems with Apache. It is very stable for most use cases. I don't need a Ferrari to send kids to school; an Audi will do.

    If you chose Apache, you settled for a Chevrolet.

    Ok, I was afraid you will tell me I settled for Geely or Tata. Chevrolet is still driveable.

    I guess I will learn and use Nginx if my websites crashes from too much traffic. It is a happy problem if that happens.

  • vyas11vyas11 Member
    edited October 2019

    @poisson said:

    Ok, I was afraid you will tell me I settled for Geely or Tata. Chevrolet is still driveable.

    I own and drive a Tata 11 years and counting. Held together by duct tape in some areas. But I wouldn't trade my horse for anything that treads (to quote Shakespeare).

    I guess I will learn and use Nginx if my websites crashes from too much traffic.

    In my case, added lighttpd to make the party complete. And in the light of what I wrote about the car, traffic and crashes are not desirable for me.

    Cheers

  • legalstufflegalstuff Member

    OpenLiteSpeed is quite a decent alternative to nginx. Same or even better performance.

  • JanevskiJanevski Member
    edited October 2019

    @raindog308 said:

    poisson said: Frankly, I never had problems with Apache. It is very stable for most use cases. I don't need a Ferrari to send kids to school; an Audi will do.

    If you chose Apache, you settled for a Chevrolet.

    Put it in H!

  • angstromangstrom Moderator

    @raindog308 said:

    poisson said: Frankly, I never had problems with Apache. It is very stable for most use cases. I don't need a Ferrari to send kids to school; an Audi will do.

    If you chose Apache, you settled for a Chevrolet.

    A Chevy is fine for me!

  • somiksomik Member
    edited October 2019

    I was using nginx with php-fpm, but apparently my server did not have this vulnerability.

    This happens is you are running php-fpm with this configuration:

    location ~ [^/]\.php(/|$) {
  ...
  fastcgi_split_path_info ^(.+?\.php)(/.*)$;
  fastcgi_param PATH_INFO       $fastcgi_path_info;
  fastcgi_pass   php:9000;
  ...
}

    However I was running php with:

    location ~ \.php$ {
    try_files $uri =404;
    fastcgi_pass unix:/var/run/php5-fpm.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
  }

    And was not able to run this exploit as it as based on the regex for "fastcgi_split_path_info" which I don't have.

    Hope this helps someone.

    Edit:
    Forgot to mention that I'm running nginx due to its low memory usage and the fact that I'm using it as a reverse proxy.

    My main site runs on the slow apache as I prefer running fcgi (I think) where php runs as individual user, and not as www-data or single user.

  • WirrkopfWirrkopf Member
    edited October 2019

    somik said: And was not able to run this exploit as it as based on the regex for "fastcgi_split_path_info" which I don't have.

    Check your 'fastcgi_params'. It sometimes is there but you are safe since you are using 'try_files $uri =404'.

  • somiksomik Member

    @Wirrkopf said:

    somik said: And was not able to run this exploit as it as based on the regex for "fastcgi_split_path_info" which I don't have.

    Check your 'fastcgi_params'. It sometimes is there but you are safe since you are using 'try_files $uri =404'.

    no, it only contains this:

    fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-r
edirect
fastcgi_param  REDIRECT_STATUS    200;

    It is used to define some global values as fastcgi does not have them by default.

Sign In or Register to comment.