1. 6
  1.  

  2. 4

    ‘Hui’ is Russian vulgar for penis, likewise ‘pizda’ is for vagina.

    1. 2

      Not only in Russian. Reading the title I was amazed that somehow the author has managed to put 2 swear words in some exploit name :)

      edit: unless this was actually not accidental but planned, in this case it’s cheap and weak.

      1. 2

        Yep, quite certain it was the latter.

    2. 3

      One of the preconditions for the exploit:

      No file existence checks like try_files $uri =404 or if (-f $uri). If Nginx drops requests to non-existing scripts before FastCGI forwarding, our requests never reach php-fpm. Adding this is also the easiest way to patch.

      E.g., if you have followed the official “PHP FastCGI Example” example from nginx.com from http://web.archive.org/web/20150928021324/https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi/, and are using try_files $uri =404; or if (!-f $uri) { return 404; } or some such, then you won’t be vulnerable to this PHP-FPM CVE.

      1. 2

        By the way, if you use Nextcloud, this applies to you.