php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66600 FPM Module is Exposed in URL (/fcgi-php-fpm/)
Submitted: 2014-01-29 00:01 UTC Modified: 2014-01-29 04:30 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: hansv at senseofsecurity dot com dot au Assigned:
Status: Closed Package: FPM related
PHP Version: Irrelevant OS: Debian
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
33 - 10 = ?
Subscribe to this entry?

 
 [2014-01-29 00:01 UTC] hansv at senseofsecurity dot com dot au
Description:
------------
When a file is requested on a website by a user, it is normally done as follows:
http://127.0.0.1/somefile.php

During a review of logs, it was discovered that the same file can be called:
http://127.0.0.1/fcgi-php-fpm/somefile.php

Which confirms that FCGI is in use.

Furthermore, some misconfigurations may allow the user or an attacker to access files outside the document root as follows:
http://127.0.0.1/fcgi-php-fpm/home/v1234567890/html/somefile.php

Where "/home/v1234567890/html/" is an example of a shared hosting URL. (This was confirmed.)

Can you please look into this if it's an unknown bug or feature that you can't disable? (It looks like a feature.)

If it's a known feature that you can disable, is it possible to disable in the PHP FPM configuration files? And if so, how/where?


Version used: 5.4.4-14+deb7u5 
(Latest Debian version package)

---
From manual page: http://www.php.net/install.fpm
---

Test script:
---------------
Please see description.

Expected result:
----------------
When the "/fcgi-php-fpm/" path is included in the URL, and a PHP file executes as it should it is revealed that PHP FPM is in use even though all other headers and filenames may have been removed.

Furthermore, in some shared hosting cases, it is possible to access files below the "document root" for that user and possibly other users, depending on how severe an "access control misconfiguration" is. 


Patches

Unable_to_create_patch (last revision 2014-01-29 00:03 UTC by hansv at senseofsecurity dot com dot au)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-01-29 02:49 UTC] hansv at senseofsecurity dot com dot au
It appears that this is an Apache "feature" and not a PHP problem most likely.

Response from Apache:
"Every request to /fcgi-php-fpm is mapped to something that doesn't exist on disk (by the Alias directive), so no <Directory> or <Files> configuration is applicable."
 [2014-01-29 04:30 UTC] hansv at senseofsecurity dot com dot au
-Status: Open +Status: Closed
 [2014-01-29 04:30 UTC] hansv at senseofsecurity dot com dot au
It's an Apache misconfiguration that's not pointed out very clearly.
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Sat Aug 13 18:05:44 2022 UTC