Lucene search

K
certCERTVU:520827
HistoryMay 03, 2012 - 12:00 a.m.

PHP-CGI query string parameter vulnerability

2012-05-0300:00:00
www.kb.cert.org
857

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.974 High

EPSS

Percentile

99.9%

Overview

PHP-CGI-based setups contain a vulnerability when parsing query string parameters from php files.

Description

According to PHP’s website, β€œPHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML.” When PHP is used in a CGI-based setup (such as Apache’s mod_cgid), the php-cgi receives a processed query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to disclose source code and obtain arbitrary code execution.

An example of the -s command, allowing an attacker to view the source code of index.php is below:
<http://localhost/index.php?-s>

Additional information can be found in the vulnerability reporter’s blog post.


Impact

A remote unauthenticated attacker could obtain sensitive information, cause a denial of service condition or may be able to execute arbitrary code with the privileges of the web server.


Solution

Apply update

PHP has released version 5.4.3 and 5.3.13 to address this vulnerability. PHP is recommending that users upgrade to the latest version of PHP.

PHP has stated, PHP 5.3.12/5.4.2 do not fix all variations of the CGI issues described in CVE-2012-1823. It has also come to our attention that some sites use an insecure cgiwrapper script to run PHP. These scripts will use $* instead of β€œ$@” to pass parameters to php-cgi which causes a number of issues.


Apply mod_rewrite rule

_PHP has __stated _an alternative is to configure your web server to not let these types of requests with query strings starting with a β€œ-” and not containing a β€œ=” through. Adding a rule like this should not break any sites. For Apache using mod_rewrite it would look like this:

RewriteCond %{QUERY_STRING} ^[^=]*$
RewriteCond %{QUERY_STRING} %2d|\- [NC]
RewriteRule .? - [F,L]


Vendor Information

According to PHP’s website Apache+mod_php and nginx+php-fpm are not affected.


520827

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

The PHP Group Affected

Notified: February 23, 2012 Updated: May 08, 2012

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

CVSS Metrics

Group Score Vector
Base 9 AV:N/AC:L/Au:N/C:C/I:P/A:P
Temporal 8.5 E:F/RL:U/RC:C
Environmental 8.7 CDP:L/TD:H/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to De Eindbazen for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: CVE-2012-1823, CVE-2012-2311
Date Public: 2012-05-03 Date First Published:

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.974 High

EPSS

Percentile

99.9%