Vulnerability Note VU#520827

PHP-CGI query string parameter vulnerability

Original Release date: 03 May 2012 | Last revised: 01 Dec 2013

Overview

PHP-CGI-based setups contain a vulnerability when parsing query string parameters from php files.

Description

According to PHP's website, "PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML." When PHP is used in a CGI-based setup (such as Apache's mod_cgid), the php-cgi receives a processed query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to disclose source code and obtain arbitrary code execution.

An example of the -s command, allowing an attacker to view the source code of index.php is below:

Additional information can be found in the vulnerability reporter's blog post.

Impact

A remote unauthenticated attacker could obtain sensitive information, cause a denial of service condition or may be able to execute arbitrary code with the privileges of the web server.

Solution

Apply update

PHP has released version 5.4.3 and 5.3.13 to address this vulnerability. PHP is recommending that users upgrade to the latest version of PHP.

PHP has stated, PHP 5.3.12/5.4.2 do not fix all variations of the CGI issues described in CVE-2012-1823. It has also come to our attention that some sites use an insecure cgiwrapper script to run PHP. These scripts will use $* instead of "$@" to pass parameters to php-cgi which causes a number of issues.

Apply mod_rewrite rule

PHP has stated an alternative is to configure your web server to not let these types of requests with query strings starting with a "-" and not containing a "=" through. Adding a rule like this should not break any sites. For Apache using mod_rewrite it would look like this:

        RewriteCond %{QUERY_STRING} ^[^=]*$
        RewriteCond %{QUERY_STRING} %2d|\- [NC]
        RewriteRule .? - [F,L]

Vendor Information (Learn More)

According to PHP's website Apache+mod_php and nginx+php-fpm are not affected.

VendorStatusDate NotifiedDate Updated
The PHP GroupAffected23 Feb 201208 May 2012
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 9.0 AV:N/AC:L/Au:N/C:C/I:P/A:P
Temporal 8.5 E:F/RL:U/RC:C
Environmental 8.7 CDP:L/TD:H/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to De Eindbazen for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

  • CVE IDs: CVE-2012-1823 CVE-2012-2311
  • Date Public: 03 May 2012
  • Date First Published: 03 May 2012
  • Date Last Updated: 01 Dec 2013
  • Document Revision: 49

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.