Urgent security issue in NGINX/php-fpm

Hello, I’m using this exemple.
Can you please tell me what I have to modify ?

I did
#apt update && apt install php7.3-fpm.
Was asked if I wanted to do some changes in some configuration files or keep the ones in place. decided to keep them and not change. The update was eventful.

Found that the lines needed to be edited was in fact located in /etc/nginx/conf.d/nextcloud.conf

Made the changes and saved.
Did
#service php7.3-fpm restart
#service nginx restart
#php -v
gives PHP 7.3.11-1+ubuntu18.04.1+deb.sury.org+1 (cli)

So far the site works as normal after the upgrade.

IMHO installing a sustainable and efficient server is not a simple endeavour. This may not matter most in small scaled service groups and for home users.

“Too many cooks spoil the broth.” & Beware of “quick and dirty.”
:smirk:

First, keep it small and keep it simple. Consider if your Nextcloud installation actualy needs the ‘php-fm’ module as this is the NC home user forum, if I may recall. Trust the true experts in the background and there is good reason for an advice like "Note that most Apache users probably want the libapache2-mod-php7.3 package. " on Debian. However, Nginx is an excellent workhorse for big scales and in addition may help on systems with narrow resources.

Second, don’t cross your bridges before you come to them. There will be an official update to the php7.3-fpm and rhe nginx package available in due time as should be appropriate for your system flavour. There should be an applicable security advisory like e.g., a DSA available too, I presume.

Naturally, you are free to use your NC install for trials and to load any software as you deem necessary. Many if not most of the comments in this thread may guide you and provide true help, hopefully.
:innocent:

Hope this helps.

Thanks for the headsup.

I am running nextcloudpi.

When i do php -v, I have the following:

"Cannot load Zend OPcache - it was already loaded
PHP 7.2.24-1+0~20191026.31+debian9~1.gbpbbacde (cli) (built: Oct 26 2019 14:18:28) ( NTS )
Copyright © 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright © 1998-2018 Zend Technologies
with Zend OPcache v7.2.24-1+0~20191026.31+debian9~1.gbpbbacde, Copyright © 1999-2018, by Zend Technologies"

I understand that the patest PHP version is v. 7.3.11

I cant find the nginx config files in /etc/nginx/

Can you help me with the steps to update the PHP to the latest version running NextcloutPI?

Nextcould version is : 16.0.5.1

Thank you.

Regards

Cattivello

7.2.24 is the latest in 7.2 branch.

Please be aware I have no expertise of my own with NextcloudPi, unfortunately. However, some general advice in the following.

Your system may be without the nginx server and happily away from the a.m. ‘NGINX/php-fpm’ issue. Check for your active webserver with:

sudo systemctl status apache2

This should show your Apache 2.4 on the job or some other info.

You may consult the below article for background information.
Why NextCloudPi uses Apache and not Nginx

Consult the NCP docs on the project website and the NCP release section at GitHub:

There is an article as of August 2019 available giving some overview and specific advice on NCP updates on:

Apparently, one should follow a three stages procedure for a more thorough NextcloudPi updates / system migration:

In order to upgrade issue the following commands
sudo ncp-update
sudo ncp-dist-upgrade

Should the upgrade fail at some Debian package, you can issue ncp-dist-upgrade again after fixing it to complete the process.

Your goal should be a PHP 7.3 install. Apparently, the NCP update procedure should ensure for everything in the right place.

However, please be aware to avoid the apt update command usual to other Linux flavours as NCP provides the a.m. special commands ncp-update and ncp-dist-upgrade specifically. Mixing NCP packages with standard packages would bring you some hassle and would destroy the good efforts of the NCP project on your install, I presume.

Furtherly, you may consult the NC 16 php.ini configuration notes in the Nextcloud docs.

Please be aware you currently are in the ‘news’ category. There may be some better place to ask for help on your issues in this NC forum available at:

Hope this helps.
:smile:

BTW a little ACK to my comment (i.e. click on the heart icon :heart:) would show you are satisfied. This could be a kind gesture and would motivate me like authors of other advice to continue in seeking to help…
:smiley:

2 Likes

Debian users may perform the procedure of:

sudo apt update
sudo apt upgrade

appropriately to make a security upgrade to php7.3 (7.3.11-1~deb10u1) security and some other packages. Same applies to 7.0.33-0+deb9u6 and 5.6.40+dfsg-0+deb8u7 apparently.

Please consult the DSA 4553 for the PHP 7.3 Debian Security Advisory.

Hope this helps.
:smiley:

Hello all,

I’m sorry but I read all your messages and I still not able to fix my configuration. I had a working configuration before and now it’s a blank page or an internal server error.

My configuration is a Debian and I don’t understand but I don’t have any error message.

My current configuration is this one:

upstream php-handler {
    server unix:/run/php/php7.3-fpm.sock;
}

server {
    listen 80;
    listen [::]:80;
    server_name cloud.xxxx.fr;
    # enforce https
    return 301 https://$server_name:443$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name cloud.xxxx.fr;

    # Use Mozilla's guidelines for SSL/TLS settings
    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
    # NOTE: some settings below might be redundant
    ssl_certificate /etc/ssl/nginx/fullchaincert.pem;
    ssl_certificate_key /etc/ssl/nginx/cloud.xxxx.fr.key;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # Path to the root of your installation
    root /www/cloud.xxxx.fr;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

    # The following rule is only needed for the Social app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/webfinger /public.php?service=webfinger last;

    location = /.well-known/carddav {
      return 301 $scheme://$host:$server_port/remote.php/dav;
    }
    location = /.well-known/caldav {
      return 301 $scheme://$host:$server_port/remote.php/dav;
    }

    # set max upload size
    client_max_body_size 512M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;

    location / {
        rewrite ^ /index.php;
    }

    location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
        deny all;
    }
    location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }

    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
        fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
        set $path_info $fastcgi_path_info;
        try_files $fastcgi_script_name =404;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;
        # Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        # Enable pretty urls
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }

    location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
        try_files $uri/ =404;
        index index.php;
    }

    # Adding the cache control header for js, css and map files
    # Make sure it is BELOW the PHP block
    location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
        try_files $uri /index.php$request_uri;
        add_header Cache-Control "public, max-age=15778463";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read into
        # this topic first.
        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
        #
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        add_header Referrer-Policy "no-referrer" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Download-Options "noopen" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Permitted-Cross-Domain-Policies "none" always;
        add_header X-Robots-Tag "none" always;
        add_header X-XSS-Protection "1; mode=block" always;

        # Optional: Don't log access to assets
        access_log off;
    }

    location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
        try_files $uri /index.php$request_uri;
        # Optional: Don't log access to other assets
        access_log off;
    }
}

May be I had a similar problem like yours.
After the updates of raspian on my pi I got error 502.
I figured out that the nginx service could not start because of a not startet php-fm service.
I had to enable the services again.
But that alone didn’t help because the services take too long to start an nginx again showed the error message. After adding this in nginx.service it seams to work.
[Service]

TimeoutStartSec=600

At least for me…

1 Like

Thanks, I only have to restart php with
systemctl restart php7.3-fpm.service

hi @TP75,
thanks for your answer. I think you right, I have apache2 running and active.
As you mentioned… can I assume I am out if troubles?
I will not run the debian update for voiding to breake nextcloudpi. (specially after reading others that have done it and got troubles).

1 Like

You are welcome.

BTW a little ACK to one or more of my comments (i.e. click on the heart icon :heart:) would show you are satisfied. This could be a kind gesture and would motivate me like authors of other advice to continue in lending a hand freely…
:smiley:

One should presume you are on the safe bank.

Good luck.
:four_leaf_clover:

1 Like

Hello,

after the update I was receiving some errors, can’t remember them now because I recopied the configuration for nginx. When I did that the index.php is not rendering and is now just trying to download. I believe this is because I am not pointing to where fpm is listening or something along those lines but I double checked the config and everything seems fine.
Not sure what to do here.

Please be aware this is the ‘news’ section and there are more appropriate categories like ‘support’ or ‘howto’ available in this user forum.

No offence. Hope this helps.
:smile:

Re: [Nextcloud community] [news] Urgent security issue in NGINX/php-fpm
Hello Nextcloud,

And it’s time to start a new thread and new subject-line, this “Urgent” matter is old news now. I’m tired of seeing “Urgent” in my inbox. It makes this list look like click bait…

Jason

Wednesday, November 6, 2019, 2:25:27 AM, you wrote:

int_1.jpg
TP75
November 6Please be aware this is the ‘news’ section and there are more appropriate categories like ‘support’ or ‘howto’ available in this user forum.
No offence. Hope this helps.
int_2.jpg

int_1.png

1 Like

@system To whom this may be of concern at Nextcloud.

We’re Nextcloud: the future of private file sync, share and communication!

:+1:

however, another click unfortunately.
:innocent:

Does this affect nginx-uwsgi users?

Apparently, NGINX with uWSGI is an application of the NGINX server in combination with the uWSGI server, if I understand your issue correctly.

IMHO your NGINX server has to be fully examined concerning the a.m. security issue at your deliberation.

Always seek to update to the most current version of NGINX, I presume.

There may be some advice from true NGINX server experts around. unfortunately, I can give no more specific advice.

Happy hacking.
:four_leaf_clover:

No you don’t uWSGI is an application that runs with any web server that supports the WSGI standard.
This enables the use of any language that uwsgi supports with that web server.
Which means in this case php, which is why I’m asking if uwsgi is affect of this CVE.

ad 1

:pleading_face:

You have a NGINX server involved or not?

  1. When NGINX involved, check for the conditions ref to the CVE and security advisory applicable to the flavour in use at your premises.

  2. When NGINX not involved, have a nice day.

  3. When some misunderstanding apparent, try to rephrase and reshuffle and provide some more details, I presume.

  4. You may ignore any option and live happily ever after at your convenience.

Choose 1 - 4 and no cheating please.
:face_with_monocle:

Not my cup of tea.
BTW The uWSGI seems to be off-topic anyway.
:innocent:

Good luck.
:four_leaf_clover:


ad 2

Apparently, you chose option (1.) but cannot deduce sufficient details from a.m. CVE. Correct?

more information:

Emil Lerner and Andrew Danau discovered that insufficient validation in the path handling code of PHP FPM could result in the execution of arbitrary code in some setups

@Thaodan Would this information help you?


ad 3

@Thaodan There seems to be a basic misunderstanding.

  1. The author of this thread is @system i.e. Nextcloud GmbH.

  2. The title of this thread :top: given by the author is: “… issue in NGINX/php-fpm:zap:

  3. One may refer to #64 by @JasGot who nicely requested :
    And it’s time to start a new thread and new subject-line, this “Urgent” matter is old news now.

  4. Please note I am not affiliated with Nextcloud GmbH.

Mission accomplished.
:innocent:


ad 4

:pleading_face:

A basic misunderstanding again, I presume. Please take the effort to truly read the first lines of text in this thread:

@Thaodan IMHO the wording used here is quite correct.
:nerd_face:

1 Like