The directive fastcgi_split_path_info is only enabled on NGINX servers, so no other servers are likely to be affected. PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 are vulnerable according to CVE-2019-11043.Īfter testing various combinations of PHP and server versions, we determined that only PHP 7 versions on NGINX servers with PHP-FPM, a FastCGI Process Manager for PHP, enabled are vulnerable. Our research and the details provided at indicate the vulnerability is due to code in fpm_main.c. Remediation instructions are included below.
Xampp for windows exploit Patch#
While you are getting ready to patch, you can easily deploy a virtual patch via pre-built templates in Qualys Web Application Firewall. We recommend organizations immediately remediate all systems that are vulnerable. Qualys Web Application Scanning (WAS) will test for this vulnerability as long as QIDs 150271 are included in your scan. Because the vulnerability is limited to specific configurations, the number of vulnerable installations is smaller than it might be. Given the simplicity of the exploit, all web servers using the vulnerable version of PHP should be upgraded to non-vulnerable PHP versions as soon as possible. Certain versions of PHP 7 running on NGINX with php-fpm enabled can be vulnerable to the remote code execution vulnerability CVE-2019-11043.
0 kommentar(er)
