1. 7
  1.  

  2. 1

    So anything which can open the TCP port to PHP-FPM can execute arbitrary code as it? This seems like it might be a awkward if you had a setup where multiple different accounts have PHP-FPM processes running on the same machine, binding different TCP ports on localhost.

    I hope PHP-FPM at least defaults to binding to localhost rather than 0.0.0.0 (I think this is the case, but it’s been a while since I looked) and wouldn’t it be nice if it would bind a unix domain socket rather than a TCP socket, eh?

    1. 2

      It defaults to binding to 127.0.0.1:9000. I don’t see who would change this to be a public interface. But I guess it’s possible.

      https://github.com/php/php-src/blob/master/sapi/fpm/www.conf.in#L36

      1. 1

        Thanks! That’s pleasingly sensible. :)

    2. 1

      I don’t quite understand this. It looks like, for this to be an issue, the attacker has to be able to set the PHP_VALUE env var to whatever they want? Surely you have bigger issues on your hands if attackers can arbitrarily set environment variables?

      1. 3

        Okay, I guess I should’ve explained this better.

        Part of the fastcgi/fpm protocol is to send over the environment of the client. This effectively means this environment variable can be set by the client, i.e. the attacker.

        This should become clearer if you look at the poc script: https://github.com/hannob/fpmvuln/blob/master/fpmrce