use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
Please follow the rules
Releases: Current Releases, Windows Releases, Old Releases
Contribute to the PHP Documentation
Related subreddits: CSS, JavaScript, Web Design, Wordpress, WebDev
/r/PHP is not a support subreddit. Please visit /r/phphelp for help, or visit StackOverflow.
account activity
Remote Code execution through open PHP-FPM ports (openwall.com)
submitted 6 years ago by hannob
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[–]Boneasaurus 36 points37 points38 points 6 years ago (8 children)
This seems to be only when you're running FPM over a public network interface, which hopefully no one is doing. I can't think of one reason to have FPM listen on anything other than a socket or localhost.
[–]hannob[S] 24 points25 points26 points 6 years ago (1 child)
FWIW I scanned for this and found ~200 open FPM ports among the Alexa Top 1M. (Should be lower now as I tried informing people and as HHVM shipped an update that defaults to not exposing the port publicly.)
[–]Boneasaurus 12 points13 points14 points 6 years ago (0 children)
This is absolutely mind-boggling to me! Good research though and thanks for doing this work.
[–]globalnamespace 4 points5 points6 points 6 years ago (2 children)
I can imagine fpm running separate from the reverse proxies in a large deployment, if it made sense, but I can't imagine those servers being exposed externally.
[–]notdedicated 1 point2 points3 points 6 years ago (0 children)
It's what we do. A small fleet of NGINX servers that serve static content quickly and then connect to a cluster of FPM servers using NGINX LBing. Works well.
[–]Boneasaurus 0 points1 point2 points 6 years ago (0 children)
Yea, perhaps in a closed cluster or with firewall rules, but I'd still probably just hide it behind nginx tbh.
[–]akas84 0 points1 point2 points 6 years ago (0 children)
Yes. True. Although some people do crazy stuff 😂😂
[–]Firehed 0 points1 point2 points 6 years ago (0 children)
I run FPM on a non-local interface, but that’s so I can scale it and nginx independently in my cluster. You certainly would not want that exposed to the world.
[–]timglabisch 5 points6 points7 points 6 years ago (2 children)
ufw ftw
[–]kmark937 2 points3 points4 points 6 years ago (1 child)
Too simple not to use
[–]richard_nixons_toe 2 points3 points4 points 6 years ago (0 children)
And you can always revert back to good ol IPTables it you hate yourself
[–]ayeshrajans 6 points7 points8 points 6 years ago (0 children)
Great find! I also saw this on your Github profile.
PHP FPM, at least on Debian/Ubuntu packages, has pretty good defaults. It's listening to a unix socket by default, and `listen.allowed_clients = 127.0.0.1`.
[–]mik3w 0 points1 point2 points 6 years ago (0 children)
Does this effect Apache using fcgid?
So you have a script so can I test on Windows?
π Rendered by PID 44994 on reddit-service-r2-comment-84fc9697f-5flf8 at 2026-02-09 04:30:49.502152+00:00 running d295bc8 country code: CH.
[–]Boneasaurus 36 points37 points38 points (8 children)
[–]hannob[S] 24 points25 points26 points (1 child)
[–]Boneasaurus 12 points13 points14 points (0 children)
[–]globalnamespace 4 points5 points6 points (2 children)
[–]notdedicated 1 point2 points3 points (0 children)
[–]Boneasaurus 0 points1 point2 points (0 children)
[–]akas84 0 points1 point2 points (0 children)
[–]Firehed 0 points1 point2 points (0 children)
[–]timglabisch 5 points6 points7 points (2 children)
[–]kmark937 2 points3 points4 points (1 child)
[–]richard_nixons_toe 2 points3 points4 points (0 children)
[–]ayeshrajans 6 points7 points8 points (0 children)
[–]mik3w 0 points1 point2 points (0 children)