Nginx + php-fpm, remote code execution vulnerability.

[netcarver]

Site/System admins: If you are running any PHP-based site on Nginx using the php-fpm back-end, please be aware of CVE-2019-11043 [see 1]. This vulnerability potentially allows remote code execution on your site by simply sending it a specially crafted URL. Nextcloud have released this page and suggest upgrading your versions of PHP immediately.

Minimum safe versions of PHP are:

• 7.1.33
• 7.2.24
• 7.3.11

I heard of this from the Security Now podcast - but the bug has been around for a few days and there is exploit code on github.

A brief read through the details of this in the Security Now show notes [3], alongside the Nginx configs posted here in the forum [4] makes me think that this is relevant, and the need to upgrade is pressing.

Please note, this is not specifically a flaw in ProcessWire but some of the technology it can be run on. 

[1] https://meterpreter.org/cve-2019-11043-php-fpm-arbitrary-code-execution-vulnerability-alert/
[2] https://lab.wallarm.com/php-remote-code-execution-0-day-discovered-in-real-world-ctf-exercise/
[3] https://www.grc.com/sn/sn-738-notes.pdf page 9
[4]