SERVER-WEBAPP -- Snort has detected traffic exploiting vulnerabilities in web based applications on servers.
SERVER-WEBAPP PHP FPM env_path_info buffer underflow attempt
This event is generated when Snort detects an attempt to add or modify PHP configuration via the URL.
Web Application Attack
Systems that are configured to run PHP in a potentially unsafe manner could allow an attacker to modify PHP runtime configuration via the URL. An example of this can be found in the proof-of-concept for CVE-2019-11043.
Ease of Attack:
What To Look For
No public information
No known false positives
Cisco Talos Intelligence Group
MITRE ATT&CK Framework
For reference, see the MITRE ATT&CK vulnerability types here:
CVE Additional Information
CVE-2019-11043In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.
||Ease of Access||LOW