Vendor of Product: Netgear

Affected Product and Version: RAX30 V1.0.10.94

Description: In Netgear RAX30 V1.0.10.94, a PHP-FPM misconfiguration vulnerability is caused by not following the specification to only limit FPM to .php extensions. An attacker may exploit this by uploading malicious scripts disguised with alternate extensions and tricking the web server into executing them as PHP, bypassing security mechanisms based on file extension filtering. This may lead to remote code execution (RCE), information disclosure, or full system compromise.

Detail:

In the Netgear RAX30 firmware, the partial content of the /etc/php-fpm.d/www.conf is as follows.

security.limit_extensions = .html .htm .php .php3 .php4 .php5 .php7

The official documentation of PHP-FPM (https://www.php.net/manual/en/install.fpm.configuration.php) states the following requirements.

security.limit_extensions string
Limits the extensions of the main script FPM will allow to parse. This can prevent configuration mistakes on the web server side. You should only limit FPM to .php extensions to prevent malicious users to use other extensions to execute php code. Default value: .php .phar

Clearly, there is a misconfiguration vulnerability here. An attacker may exploit this by uploading malicious scripts disguised with alternate extensions and tricking the web server into executing them as PHP, bypassing security mechanisms based on file extension filtering. This may lead to remote code execution (RCE), information disclosure, or full system compromise.