1. 7
    RCE through open PHP-FPM ports php security web openwall.com
    hanno avatar authored by hanno 3 years ago |
    Archive.org Archive.today Ghostarchive
    | 5 comments
  1. 1
    0x2ba22e11 avatar 0x2ba22e11 3 years ago | link

    So anything which can open the TCP port to PHP-FPM can execute arbitrary code as it? This seems like it might be a awkward if you had a setup where multiple different accounts have PHP-FPM processes running on the same machine, binding different TCP ports on localhost.

    I hope PHP-FPM at least defaults to binding to localhost rather than 0.0.0.0 (I think this is the case, but it’s been a while since I looked) and wouldn’t it be nice if it would bind a unix domain socket rather than a TCP socket, eh?

    1. 2
      pilif avatar pilif 3 years ago | link

      It defaults to binding to 127.0.0.1:9000. I don’t see who would change this to be a public interface. But I guess it’s possible.

      https://github.com/php/php-src/blob/master/sapi/fpm/www.conf.in#L36

      1. 1
        0x2ba22e11 avatar 0x2ba22e11 3 years ago | link

        Thanks! That’s pleasingly sensible. :)

    2. 1
      mort avatar mort 3 years ago | link

      I don’t quite understand this. It looks like, for this to be an issue, the attacker has to be able to set the PHP_VALUE env var to whatever they want? Surely you have bigger issues on your hands if attackers can arbitrarily set environment variables?

      1. 3
        hanno avatar hanno 3 years ago | link

        Okay, I guess I should’ve explained this better.

        Part of the fastcgi/fpm protocol is to send over the environment of the client. This effectively means this environment variable can be set by the client, i.e. the attacker.

        This should become clearer if you look at the poc script: https://github.com/hannob/fpmvuln/blob/master/fpmrce