Vendor of Product: Netgear
Affected Product and Version: RAX30 V1.0.10.94
Description:
In Netgear RAX30 V1.0.10.94, a PHP-FPM
misconfiguration vulnerability is caused by not following the specification to only limit FPM
to .php
extensions. An attacker may exploit this by uploading malicious scripts disguised with alternate extensions and tricking the web server into executing them as PHP, bypassing security mechanisms based on file extension filtering. This may lead to remote code execution (RCE), information disclosure, or full system compromise.
Detail:
In the Netgear RAX30
firmware, the partial content of the /etc/php-fpm.d/www.conf
is as follows.
security.limit_extensions = .html .htm .php .php3 .php4 .php5 .php7
The official documentation of PHP-FPM (https://www.php.net/manual/en/install.fpm.configuration.php) states the following requirements.
security.limit_extensions string
Limits the extensions of the main script FPM will allow to parse. This can prevent configuration mistakes on the web server side. You should only limit FPM to .php extensions to prevent malicious users to use other extensions to execute php code. Default value: .php .phar
Clearly, there is a misconfiguration vulnerability here. An attacker may exploit this by uploading malicious scripts disguised with alternate extensions and tricking the web server into executing them as PHP, bypassing security mechanisms based on file extension filtering. This may lead to remote code execution (RCE), information disclosure, or full system compromise.