PHP Team Fixes Nasty Site-owning Remote Execution Bug

Unlike other people, programmers do not fear Halloween and ghosts; but, our biggest nightmare that keeps us awake all night and for days are bugs! Often, these bugs turn out to be simple bugs that hinder the program’s execution and prevent the program from running as expected. But, what about bugs that not only take the world by storm but compromise the security of your application and invite cyber attackers to easily violate and access your application data?

Turns out that the PHP framework, a highly trusted development language and platform had a bug that allowed remote code execution in certain setups; this is undoubtedly quite risky. However, this news is just in – the PHP team resolves a high-risk execution bug, preventing attackers from taking over your application and keeping it secure! In this post, we will discuss all about the bug that the PHP team resolved and how it will undoubtedly help in your PHP application development!

What was the effect of the high-risk execution bug affecting the PHP platform?

Most website developers opt for PHP to easily develop dynamic websites; after all, developing multiple HTML files for the same web page can be quite hectic for you and might take up a lot of time. Even if you hire a web developer in India, developing and managing numerous HTML files can be quite impossible. This is why we recommend you choose PHP for dynamic and complex website development including eCommerce sites and online social media communities like Reddit.

Now, according to recent news, the PHP team resolves a high-risk execution bug, but what exactly is this bug? Well, this bug was found in PHP version 7 and only affects PHP instances that utilize the PHP FastCGI Process Manager, also referred to as the PHP-FPM. If you are a PHP developer, you surely know about a standard PHP module that is known as FastCGI; well, this PHP-FPM is a simple alternative to FastCGI and allows an interpreter outside the web server to execute PHP scripts. The PHP-FPM or the process manager version also comes with some additional features that allow you to easily develop and implement high-volume websites.

When you think about it, the feature of the process manager version that allows interpreters outside your application’s web server to execute your PHP scripts is actually quite useful; this is because it ensures that even if your application’s user is using some other interpreter, your script still runs. Well, this is until the bug comes into the scenario; this bug only works if your website is also accessing the Nginx web server, which is quite popular. Even W3techs recognizes its popularity and says that approximately 33.6% of all websites known to us use this server, which is a huge amount.

When you hire a web developer in India and propose your project, they will undoubtedly choose PHP over all other languages available; and, if you dig deeper, you will see that most of them will opt for the Nginx web server, meaning your application could have been affected by this bug (if your PHP application used Nginx and was developed before the PHP team resolved this high-risk execution bug)!

How did the bug hamper the security of applications and their PHP scripts?

According to the researcher who found this high-risk execution bug, when the PHP language called a script, it was not able to check whether the path of the script was correct or not. The researcher decided to manipulate a variable available in the PHP script that is also used by developers to configure it. The logic behind this (as explained by the researcher) was that – the technique allowed them to create a fake PHP_VALUE FCGI variable, and then they used a chain of config values that they carefully chose to execute the code.

Although this concept might seem complicated and quite difficult to use, this bug caused huge security threats; several agencies and businesses tried to hire a web developer in India for security fixes and patches, but the existence of the bug meant that numerous applications (at least over 30% of websites) would be at risk of cyber attacks and external threats.

Thankfully, the PHP team took note of this issue and began working on the patch to fix this issue and guarantee added security measures. The first action they took was publishing an untested version on their own forum to allow numerous PHP developers to test it and flag other issues (if any). Then, they collaborated with the researcher to understand the bug and prepare a testing patch that could solve the problem.

After numerous attempts where multiple developers tested the bug and committed the fix to the GitHub repository, the researcher finally published the developed exploit code; and, the best part is that the PHP team fixed this bug in numerous point releases of PHP’s different versions. Check the following table to understand which one you should download so that you do not need to face this bug:-

Previous VersionVersion with the Bug Fix and Patch
PHP 7.1PHP 7.1.33
PHP 7.2PHP 7.2.24
PHP 7.3PHP 7.3.11

Please note that for all of these security releases, you must download the latest full release to upgrade your PHP version to the latest point version and reap the benefits of PHP development after the bug fix.

What about the Nginx server and how did they solve the PHP bug?

Since this PHP bug mainly affected websites using the Nginx server, this bug also affected the default configuration of NextCloud – the company publishing self-hosted content collaboration software solutions and technologies. Their development team advises you to upgrade the software and make changes in your Nginx’s configuration before you restart your web server to apply the bug fix and patches.

If you are unable to update your Nginx file due to some other dependencies in your code, we recommend you partner with a PHP development company in India to ensure they have implemented some workarounds. Otherwise, if you don’t want to hire a web developer in India and want to do it by yourself, two workarounds that you can try include:-

  1. Add the following code line to your Nginx configuration file to enjoy the updated code and security patches –
try_files  $fastcgi_script_name = 404; 
  1. Make sure that your PHP code’s PATH_INFO value is not empty and you can easily do it by changing your PATH_INFO line as mentioned below –
fastcgi_param PATH_INFO $fastcgi_path_info if_not_empty;


Although the PHP team resolved the high-risk execution bug, a lot of application developers cannot benefit from it due to other code dependencies. However, with so many code dependencies available, it is easy for expert PHP developers to get out of the mess that the bug created. This is why we often recommend businesses to partner with an expert PHP development company in India to ensure quick and seamless development of secure and functional applications using PHP.

Leave a Reply

Your email address will not be published. Required fields are marked *