The attack is possible in nginx configurations in which forwarding in PHP-FPM is carried out by splitting parts of the URL using "fastcgi_split_path_info" and defining the PATH_INFO environment variable, but without first checking the existence of the file with the "try_files $fastcgi_script_name" directive or the "if (!-f $ document_root$fastcgi_script_name)". problem including
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^ (. +? \. php) (/.*) $;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass php:9000;
}
You can follow the troubleshooting in distributions on these pages:
try_files $fastcgi_script_name =404;
The problem is caused by an error while manipulating pointers in the file
If the fastcgi_split_path_info directive specifies splitting the path to the script using a regular expression that is sensitive to the transmission of the newline character (for example, in many examples it is suggested to use "^(.+?\.php)(/.*)$"), then the attacker can achieve writing an empty value to the PATH_INFO environment variable. In this case, further along the execution
By requesting a URL formatted in a certain way, an attacker can move the path_info pointer to the first byte of the “_fcgi_data_seg” structure, and writing zero to this byte will move the “char * pos” pointer to the previously going memory area. The FCGI_PUTENV called next will overwrite the data in this memory with a value that the attacker can control. The specified memory also stores the values of other FastCGI variables, and by writing their data, the attacker can create a dummy PHP_VALUE variable and achieve the execution of his code.
Source: opennet.ru