PHP XSS Vulnerability in PHP-FPM Status Page

A cross-site scripting (XSS) vulnerability has been identified in PHP-FPM status pages across multiple PHP versions, including 8.2.* prior to 8.2.31, 8.3.* prior to 8.3.31, 8.4.* prior to 8.4.21, and 8.5.* prior to 8.5.6. The issue arises from improper sanitization of user data, allowing attackers to craft URLs that execute arbitrary JavaScript on the viewer's machine. This could lead to cookie theft on poorly secured systems or the extraction of sensitive information from the status page itself. Notably, no authentication or access to the '/status' endpoint is required to exploit this vulnerability.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can execute malicious JavaScript in the context of the victim's browser.

Reproduction

To reproduce this vulnerability, navigate to a PHP-FPM status page URL and include a script tag in the request URI. For example, `example.com/<script>alert()</script>`. Then, access the status endpoint with the 'full' and 'html' parameters. This will trigger the JavaScript execution, demonstrating the XSS vulnerability. The same exploitation can be performed using the XML endpoint by embedding malicious XML nodes, which would result in an XML parsing error, further indicating the presence of the vulnerability.

Remediation

Users can upgrade to PHP versions 8.2.31, 8.3.31, 8.4.21, or 8.5.6 to address this vulnerability.