ASA-2019-00595 – PHP: env_path_info underflow in fpm_main.c can lead to Remote Code Execution (RCE)

Allele Security Alert



ASA-2019-00595, CVE-2019-11043


env_path_info underflow in fpm_main.c can lead to Remote Code Execution (RCE)


The PHP Development Team



Affected version(s)

PHP versions before 7.3.11
PHP versions before 7.2.24
PHP versions before 7.1.33

Fixed version(s)

PHP version 7.3.11
PHP version 7.2.24
PHP version 7.1.33

Proof of concept



In PHP in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.

Technical details

The line 1140 in file sapi/fpm/fpm/fpm_main.c ( contains pointer arithmetics that assumes that env_path_info has a prefix equal to the path to the php script. However, the code does not check this assumption is satisfied. The absence of the check can lead to an invalid pointer in the “path_info” variable.

Such conditions can be achieved in a pretty standard Nginx configuration. If one has Nginx config like this:

location ~ [^/]\.php(/|$) {
    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
    fastcgi_param PATH_INFO $fastcgi_path_info;
    fastcgi_pass php:9000;

The regexp in `fastcgi_split_path_info` directive can be broken using the newline character (in encoded form, %0a). Broken regexp leads to empty PATH_INFO, which triggers the bug.

This issue leads to code execution. Later in the code, the value of path_info[0] is set to zero (; then FCGI_PUTENV is called. Using a carefully chosen length of the URL path and query string, an attacker can make path_info point precisely to the first byte of _fcgi_data_seg structure. Putting zero into it moves `char* pos` field backwards, and following FCGI_PUTENV overwrites some data (including other fast cgi variables) with the script path. Using this technique, it’s possible to create a fake PHP_VALUE fcgi variable and then use a chain of carefully chosen config values to get code execution.


neex, beched and d90pwn


Sec Bug #78599 env_path_info underflow in fpm_main.c can lead to RCE

Fix bug #78599 (env_path_info underflow can lead to RCE) (CVE-2019-11043)


PHP-FPM Remote Code Execution Vulnerability (CVE-2019-11043) Analysis

Testing CVE-2019-11043 (php-fpm security vulnerability) with LXD system containers

Addressing the PHP-FPM Vulnerability (CVE-2019-11043) with NGINX

Exploit for CVE-2019-11043

PHP 7.3.11 Released

Version 7.3.11 – Changelog

PHP 7.1.33 Released

Version 7.3.11 – Changelog

PHP 7.2.24 Released

Version 7.2.24 – Changelog

CVE-2019-11043 - Red Hat Customer Portal


CVE-2019-11043 | SUSE

CVE-2019-11043 in Ubuntu



If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: November 5, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.