LiteSpeed Immune to PHP Exploit
The National Vulnerability Database recently published notice of PHP exploit CVE-2019-11043.
This exploit allowed remote code execution, particularly in PHP-FPM, the FastCGI Process Manager. One could trigger it by crafting a special request that took advantage of an underflow flaw in the PHP-FPM code.
On October 24th php.net issued three releases (7.1.33, 7.2.24 as well as 7.3.11), all fixing this vulnerability.
While the vulnerability itself was found within PHP, the exploit would usually be triggered in combination with the web server nginx. LiteSpeed Web Server is immune to the PHP exploit.
There are two main reasons why LiteSpeed is not vulnerable:
- Most importantly, we don’t use PHP-FPM. We always use our own LiteSpeed SAPI.
- Whenever we hit the PHP handler, LiteSpeed Web Server verifies that the specified file exists.
You can test the exploit via the Go Proof of Concept found here. This PoC executes a series of GET requests towards your web server with longer and longer query strings. On a LiteSpeed Server the output will look something like this:
./phuip-fpizdam https://example.com/script.php 2019/10/28 16:40:39 Base status code is 200 2019/10/28 16:40:41 Detect() returned error: no qsl candidates found, invulnerable or something wrong