FastCGI Unauthorized Access Vulnerability
Description
FastCGI is a binary protocol that enables web servers to communicate with application processes. When a FastCGI service is misconfigured to listen on a network-accessible interface (typically port 9000), it becomes directly accessible to remote attackers.
This vulnerability exists because the FastCGI port 9000 is exposed to the network without authentication. Attackers can craft malicious FastCGI protocol packets and send them directly to this port, bypassing the web server entirely and communicating directly with the application backend.
This misconfiguration effectively removes all web server security controls and exposes the application layer to direct exploitation.
Remediation
Immediately restrict access to the FastCGI service to prevent unauthorized connections. Implement one of the following solutions:
Option 1: Bind to localhost only (Recommended)
Configure FastCGI to listen only on the local loopback interface so it cannot be accessed remotely.
For PHP-FPM, edit the pool configuration file (typically /etc/php-fpm.d/www.conf or /etc/php/7.x/fpm/pool.d/www.conf):
; Change from: listen = 0.0.0.0:9000 ; To: listen = 127.0.0.1:9000
Option 2: Use Unix domain sockets (Most Secure)
Configure FastCGI to use a Unix socket instead of a TCP port:
; In PHP-FPM pool configuration: listen = /var/run/php-fpm/php-fpm.sock listen.owner = nginx listen.group = nginx listen.mode = 0660
Update your web server configuration to use the socket. For Nginx:
location ~ \.php$ {
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}Option 3: Firewall restrictions
If remote access is required, implement strict firewall rules to allow connections only from authorized web server IP addresses.
After making changes, restart the FastCGI service and verify the port is no longer publicly accessible using network scanning tools.