Website owners will have to strengthen their defenses now that a new security exploit has been found.
Websites based on the PHP programming language and connected to the NGINX web server are currently at risk. This is a big deal, as more than 39 million websites run on PHP, albeit not all are connected to the NGINX web server.
The scary part is that the exploit is relatively easy to execute. Even a non-technical user can follow the steps and hack through a website's server. Therefore, web administrators must take this issue seriously and take no chances.
Finding the vulnerability
The security flaw was discovered by security firm Wallarm's Andrew "d90pwn" Danau. The flaw was then later weaponized by two of his colleagues, Neex and beched. The two developed a fully working remote code execution exploit.
On Oct. 21, a Russia-based security researcher Neex submitted the bug report detailing the exploit.
The vulnerability allows a hacker to force a remote webserver to execute an arbitrary code they provide by accessing a crafted URL. This is done by adding "?a=" to the website address, followed by the code.
Catalin Cimpanu of ZDNet notes that this exploit lowers the barrier to entry to any website, potentially allowing virtually anyone to access vulnerable websites.
The flaw is currently being monitored under the code CVE-2019-11043 by the National Vulnerability Database.
How to know if you're vulnerable
Not all websites running on PHP are vulnerable, and not all that are connected to the NGINX web server are affected as well. The website also has to be running the PHP-FPM extension for the exploit to work. PHP-FPM is most commonly used by high-traffic websites.
The Hacker News summarizes a checklist that web owners could use to check their vulnerability:
- NGINX is configured to forward PHP pages requests to PHP-FPM processor,
- fastcgi_split_path_info directive is present in the configuration and includes a regular expression beginning with a '^' symbol and ending with a 'symbol,
- PATH_INFO variable is defined with fastcgi_param directive,
- There are no checks like try_files $uri =404 or if (-f $uri) to determine whether a file exists or not.
A proof of concept script made by Neex also allows users to check if a website is vulnerable to the exploit. As you could use this to check your website's vulnerability, but so can hackers. It is advisable just to skip this step and beef up your security regardless of your vulnerability.
Quick Fix
Thankfully, it also doesn't take a genius to patch things up. PHP7 has already been made aware of the problem, so updating it to the latest version fixes the issue. Make sure that you're running on either PHP 7.3.11 or PHP 7.2.24. Of course, it's advisable just to update your PHP regardless of your security risk status.
Site owners could also set a rule within the standard PHP mod_security firewall to prevent hackers from reaching your website.
Why worry about hacking
Hacking poses a real threat to users, especially those who transact online. Aside from usernames and passwords, hackers could gain access to your private information, personal communications, and other data that they may use against you. More importantly, they could gain access to sensitive information, like your credit card information, which hackers could use against your will.
One notorious security flaw was the Heartbleed bug that affected OpenSSL users. Monitored under the code CVE-2014-0160, the bug allowed hackers to steal information, files, and accounts without leaving a trace.
It is, therefore, important for web owners to secure their sites, as it is their responsibility to keep the information of their users on their website safe from hackers.