Certain versions of PHP 7 running on NGINX with php-fpm enabled can be vulnerable to the remote code execution vulnerability CVE-2019-11043.

Given the simplicity of the exploit, all web servers using the vulnerable version of PHP should be upgraded to non-vulnerable PHP versions as soon as possible. Because the vulnerability is limited to specific configurations, the number of vulnerable installations is smaller than it might be.

Qualys Web Application Scanning (WAS) will test for this vulnerability as long as QIDs 150270 and 150271 are included in your scan. We recommend organizations immediately remediate all systems that are vulnerable. While you are getting ready to patch, you can easily deploy a virtual patch via pre-built templates in Qualys Web Application Firewall.

Remediation instructions are included below.

Continue reading …

Organizations that use automated scanners to test the security of their web apps must watch out for instances where these tools may trigger user account lockouts inadvertently.  Here we explain why this occurs and offer some tips for how to prevent this from happening with Qualys Web Application Scanning (WAS).

Continue reading …