search menu icon-carat-right cmu-wordmark

CERT Coordination Center

PHP-CGI query string parameter vulnerability

Vulnerability Note VU#520827

Original Release Date: 2012-05-03 | Last Revised: 2013-12-02

Overview

PHP-CGI-based setups contain a vulnerability when parsing query string parameters from php files.

Description

According to PHP's website, "PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML." When PHP is used in a CGI-based setup (such as Apache's mod_cgid), the php-cgi receives a processed query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to disclose source code and obtain arbitrary code execution.

An example of the -s command, allowing an attacker to view the source code of index.php is below:
http://localhost/index.php?-s

Additional information can be found in the vulnerability reporter's blog post.

Impact

A remote unauthenticated attacker could obtain sensitive information, cause a denial of service condition or may be able to execute arbitrary code with the privileges of the web server.

Solution

Apply update

PHP has released version 5.4.3 and 5.3.13 to address this vulnerability. PHP is recommending that users upgrade to the latest version of PHP.

PHP has stated, PHP 5.3.12/5.4.2 do not fix all variations of the CGI issues described in CVE-2012-1823. It has also come to our attention that some sites use an insecure cgiwrapper script to run PHP. These scripts will use $* instead of "$@" to pass parameters to php-cgi which causes a number of issues.

Apply mod_rewrite rule

PHP has stated an alternative is to configure your web server to not let these types of requests with query strings starting with a "-" and not containing a "=" through. Adding a rule like this should not break any sites. For Apache using mod_rewrite it would look like this:

    RewriteCond %{QUERY_STRING} ^[^=]*$
    RewriteCond %{QUERY_STRING} %2d|\- [NC]
    RewriteRule .? - [F,L]

Vendor Information

According to PHP's website Apache+mod_php and nginx+php-fpm are not affected.

520827
 

The PHP Group Affected

Notified:  February 23, 2012 Updated: May 08, 2012

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References


CVSS Metrics

Group Score Vector
Base 9 AV:N/AC:L/Au:N/C:C/I:P/A:P
Temporal 8.5 E:F/RL:U/RC:C
Environmental 8.7 CDP:L/TD:H/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to De Eindbazen for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: CVE-2012-1823, CVE-2012-2311
Date Public: 2012-05-03
Date First Published: 2012-05-03
Date Last Updated: 2013-12-02 04:26 UTC
Document Revision: 50

Sponsored by CISA.