php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66600 FPM Module is Exposed in URL (/fcgi-php-fpm/)
Submitted: 2014-01-29 00:01 UTC Modified: 2014-01-29 04:30 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: hansv at senseofsecurity dot com dot au Assigned:
Status: Closed Package: FPM related
PHP Version: Irrelevant OS: Debian
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: hansv at senseofsecurity dot com dot au
New email:
PHP Version: OS:

 

 [2014-01-29 00:01 UTC] hansv at senseofsecurity dot com dot au
Description:
------------
When a file is requested on a website by a user, it is normally done as follows:
http://127.0.0.1/somefile.php

During a review of logs, it was discovered that the same file can be called:
http://127.0.0.1/fcgi-php-fpm/somefile.php

Which confirms that FCGI is in use.

Furthermore, some misconfigurations may allow the user or an attacker to access files outside the document root as follows:
http://127.0.0.1/fcgi-php-fpm/home/v1234567890/html/somefile.php

Where "/home/v1234567890/html/" is an example of a shared hosting URL. (This was confirmed.)

Can you please look into this if it's an unknown bug or feature that you can't disable? (It looks like a feature.)

If it's a known feature that you can disable, is it possible to disable in the PHP FPM configuration files? And if so, how/where?


Version used: 5.4.4-14+deb7u5 
(Latest Debian version package)

---
From manual page: http://www.php.net/install.fpm
---

Test script:
---------------
Please see description.

Expected result:
----------------
When the "/fcgi-php-fpm/" path is included in the URL, and a PHP file executes as it should it is revealed that PHP FPM is in use even though all other headers and filenames may have been removed.

Furthermore, in some shared hosting cases, it is possible to access files below the "document root" for that user and possibly other users, depending on how severe an "access control misconfiguration" is. 


Patches

Unable_to_create_patch (last revision 2014-01-29 00:03 UTC by hansv at senseofsecurity dot com dot au)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-01-29 02:49 UTC] hansv at senseofsecurity dot com dot au
It appears that this is an Apache "feature" and not a PHP problem most likely.

Response from Apache:
"Every request to /fcgi-php-fpm is mapped to something that doesn't exist on disk (by the Alias directive), so no <Directory> or <Files> configuration is applicable."
 [2014-01-29 04:30 UTC] hansv at senseofsecurity dot com dot au
-Status: Open +Status: Closed
 [2014-01-29 04:30 UTC] hansv at senseofsecurity dot com dot au
It's an Apache misconfiguration that's not pointed out very clearly.
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Sun Jul 03 18:03:33 2022 UTC