Overview
PHP-CGI-based setups contain a vulnerability when parsing query string parameters from php files.
Description
According to PHP's website, "PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML." When PHP is used in a CGI-based setup (such as Apache's mod_cgid), the php-cgi receives a processed query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to disclose source code and obtain arbitrary code execution. An example of the -s command, allowing an attacker to view the source code of index.php is below: |
Impact
A remote unauthenticated attacker could obtain sensitive information, cause a denial of service condition or may be able to execute arbitrary code with the privileges of the web server. |
Solution
Apply update |
Apply mod_rewrite rule |
Vendor Information
According to PHP's website Apache+mod_php and nginx+php-fpm are not affected. |
CVSS Metrics
Group | Score | Vector |
---|---|---|
Base | 9 | AV:N/AC:L/Au:N/C:C/I:P/A:P |
Temporal | 8.5 | E:F/RL:U/RC:C |
Environmental | 8.7 | CDP:L/TD:H/CR:ND/IR:ND/AR:ND |
References
- http://www.php.net/
- http://www.php.net/manual/en/security.cgi-bin.php
- http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
- http://www.php.net/archive/2012.php#id2012-05-03-1
- http://www.php.net/archive/2012.php#id2012-05-08-1
- http://www.symantec.com/connect/blogs/linux-worm-targeting-hidden-devices
Acknowledgements
Thanks to De Eindbazen for reporting this vulnerability.
This document was written by Michael Orlando.
Other Information
CVE IDs: | CVE-2012-1823, CVE-2012-2311 |
Date Public: | 2012-05-03 |
Date First Published: | 2012-05-03 |
Date Last Updated: | 2013-12-02 04:26 UTC |
Document Revision: | 50 |