A serious remote command execution vulnerability in the PHP-FGM module when used with NGINX has been disclosed in CVE CVE-2019-11043.
Since NGINX does not have a native in-process PHP runtime and uses PHP-FGM instead, the PHP-FGM module is widely used.
By submitting a specially crafted (yet simple) HTTP requested to the NGINX server, it is possible to execute system commands on the server. An example attack is described by Qualys in their report of this vulnerability.
NGINX describe the vulnerability:
NGINX communicates with PHP‑FPM using the FastCGI protocol. Each FastCGI message contains a set of environment variables. One of these, PATH_INFO, is derived from other request parameters. If its value is unexpectedly empty, this can ultimately cause memory corruption in the PHP‑FPM binary. It is possible to exploit this situation and make the PHP‑FPM binary run arbitrary commands on the local server.
The vulnerability is fixed in PHP 7.2.24 and 7.3.11
“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”
Aim Ltd Chief Technology Officer (CTO)