CVE-2019-11043: PHP-FPM Remote Code Execution (RCE) Technical Analysis & Patch

Опубликовано: 14 Июнь 2026
на канале: r0otk3r

245

⚠️ EDUCATIONAL PURPOSE ONLY: This video is for security research, system administration, and authorized testing purposes only. The goal is to demonstrate the mechanics of a vulnerability to help organizations identify, verify, and patch critical risks.

Overview

CVE-2019-11043 is a high-impact Remote Code Execution (RCE) vulnerability in PHP-FPM (FastCGI Process Manager). Discovered during a CTF competition, this flaw allows unauthenticated attackers to execute arbitrary code on servers running specific Nginx configurations. Because it affects core web infrastructure, it is listed in the CISA Known Exploited Vulnerabilities Catalog.

Technical Breakdown
The vulnerability is an env_path_info underflow flaw in the fpm_main.c file:

The Entry Point: Vulnerable Nginx configurations using the fastcgi_split_path_info directive allow attackers to manipulate the PATH_INFO variable.
The Flaw: By embedding a newline character (%0a) in the URL, an attacker can break the regular expression used to parse the path, leading to an empty PATH_INFO.
Memory Corruption: This empty value causes a buffer underflow in PHP-FPM, allowing the attacker to overwrite internal PHP variables and memory.
Execution: Attackers can chain this memory corruption to set custom php.ini values (like auto_prepend_file) to achieve full OS command execution via the URL.

Affected Versions

PHP 7.1.x below 7.1.33.
PHP 7.2.x below 7.2.24.
PHP 7.3.x below 7.3.11.

How to Fix & Mitigate

Upgrade PHP: Immediately update to PHP 7.1.33, 7.2.24, 7.3.11, or any version in the PHP 7.4+ or 8.x branch.
Config Patch: Add a file existence check in your Nginx configuration (e.g., try_files $uri =404) before forwarding requests to FastCGI.
WAF Protection: Deploy rules to block requests containing encoded newlines (%0a or %0d) in URLs targeting PHP files.

🔗 Links & Resources:

https://github.com/vulhub/vulhub/tree...

https://bugs.php.net/bug.php?id=78599

https://nvd.nist.gov/vuln/detail/cve-...

https://github.com/neex/phuip-fpizdam

👍 Like • 💬 Comment • 🔁 Share

.
.
.
.
.
.
.
.
.
.

Tags:

#CVE201911043 #PHP #Nginx #CyberSecurity #PHuiPFPizdaM #Infosec #WebSecurity #FastCGI #PatchNow