CVE-2019-11043 Security issue with nginx, php-fpm and Netxcloud

[FiveBoroughs]

https://nextcloud.com/blog/urgent-security-issue-in-nginx-php-fpm/

Upgrading PHP to > 7.2.24 would fix the issue but the max version available on Ubuntu 18.04 right now is 7.2.19

The other fix as specified in the Netxcloud link above is to make the following changes the /etc/nginx/conf.d/local.conf file :

location / {
  rewrite ^ /index.
}

Note the removal of $request_uri

location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
  fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
  try_files $fastcgi_script_name =404;
  include fastcgi_params;
  fastcgi_param SCRIPTFILENAME $document_root$fastcgi_script_name;
  fastcgi_param PATHINFO $fastcgi_path_info;
  fastcgi_param HTTPS on;
  # Avoid sending the security headers twice
  fastcgi_param modHeadersAvailable true;
  # Enable pretty urls
  fastcgi_param front_controller_active true;
  fastcgi_pass php-handler;
  fastcgi_intercept_errors on;
  fastcgi_request_buffering off;
}

Note the addition of the $try_files $fastcgi_script_name =404;

I've made those modifications myself but found out MIAB overwrites the nginx conf file daily.

[FiveBoroughs]

Closing this as another issue has been opened 10 minutes ago : #1663