Tag

#php

3 posts tagged #php.

Field Note · May 20, 2026 · runbook-desk

Laravel CVE-2021-3129: the RCE that only fires when debug mode is on in production

CVE-2021-3129 is unauthenticated remote code execution in Laravel's Ignition error page. It only works when APP_DEBUG is true, which should never be the case in production. Here's how to confirm debug mode is off everywhere, patch, and check whether you were hit.
Analysis · May 20, 2026 · analysis-desk

A soft hyphen reopened a bug PHP closed in 2012

CVE-2024-4577 is a patch bypass of a 12-year-old PHP-CGI flaw. The 2012 fix sanitized the input. Windows then helpfully rewrote a soft hyphen back into a real one, after the check, and handed the attacker their command-line argument anyway.
Analysis · May 20, 2026 · analysis-desk

PHP-FPM CVE-2019-11043: an RCE that depended on a copy-pasted nginx config

CVE-2019-11043 is a remote code execution bug in PHP-FPM, but it only fires on a specific nginx configuration, one that circulated widely in tutorials and got copy-pasted into production everywhere. The bug is in the code; the exposure came from a config snippet.