Security advisory: EZSA-2019-008

Remote code execution in PHP-FPM
Publication date:
07/11/2019, 12:00


Affected versions: Any using PHP-FPM (PHP in FastCGI mode)
Resolving versions: PHP versions 7.3.11, 7.2.24, 7.1.33

This Security Advisory is about a vulnerability in PHP, which can lead to remote code execution (RCE), a very serious threat in itself. Affected is PHP running in FastCGI mode (php-fpm) with the Nginx webserver, possibly also other web servers. Attackers can use a specially crafted URL to break Nginx's configuration processor and achieve code execution. This is independent of what PHP application you are using.

On the basis of the tests we have made, we believe eZ Platform is not vulnerable, as long as our recommended vhost configuration is used. Here is the v2.5 recommendation, as an example:

This vhost template specifies that only the file app.php in the web root is executed, while vulnerable configurations allow execution of any php file. However, we cannot be 100% certain our configuration is not vulnerable. We also do not know if all our users use the recommended configuration, so we send out this warning to be on the safe side.

This vulnerability is fixed in PHP versions 7.3.11, 7.2.24, and 7.1.33. If you are using PHP supplied by a Linux distribution, please refer to their package upgrades. We strongly recommend that you install this update, especially if you use php-fpm in Nginx.

If you cannot install this update (yet), a possible workaround is to add a condition like

try_files $uri =404

in your vhost, in the location section which specifies fastcgi commands. Please test this before going live, and refer to the Nginx documentation. This section describes a similar vulnerability, with various solutions:

Have you found a security bug in Ibexa DXP? See how to report it responsibly here:

All security advisories