7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.974 High
EPSS
Percentile
99.9%
PHP-CGI-based setups contain a vulnerability when parsing query string parameters from php files.
According to PHPβs website, βPHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML.β When PHP is used in a CGI-based setup (such as Apacheβs mod_cgid
), the php-cgi
receives a processed query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c
to be passed to the php-cgi
binary, which can be exploited to disclose source code and obtain arbitrary code execution.
An example of the -s
command, allowing an attacker to view the source code of index.php
is below:
<http://localhost/index.php?-s>
Additional information can be found in the vulnerability reporterβs blog post.
A remote unauthenticated attacker could obtain sensitive information, cause a denial of service condition or may be able to execute arbitrary code with the privileges of the web server.
Apply update
PHP has released version 5.4.3 and 5.3.13 to address this vulnerability. PHP is recommending that users upgrade to the latest version of PHP.
PHP has stated, PHP 5.3.12/5.4.2 do not fix all variations of the CGI issues described in CVE-2012-1823. It has also come to our attention that some sites use an insecure cgiwrapper script to run PHP. These scripts will use $* instead of β$@β to pass parameters to php-cgi which causes a number of issues.
Apply mod_rewrite rule
_PHP has __stated _an alternative is to configure your web server to not let these types of requests with query strings starting with a β-β and not containing a β=β through. Adding a rule like this should not break any sites. For Apache using mod_rewrite it would look like this:
RewriteCond %{QUERY_STRING} ^[^=]*$
RewriteCond %{QUERY_STRING} %2d|\- [NC]
RewriteRule .? - [F,L]
According to PHPβs website Apache+mod_php and nginx+php-fpm are not affected.
520827
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: February 23, 2012 Updated: May 08, 2012
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 9 | AV:N/AC:L/Au:N/C:C/I:P/A:P |
Temporal | 8.5 | E:F/RL:U/RC:C |
Environmental | 8.7 | CDP:L/TD:H/CR:ND/IR:ND/AR:ND |
Thanks to De Eindbazen for reporting this vulnerability.
This document was written by Michael Orlando.
CVE IDs: | CVE-2012-1823, CVE-2012-2311 |
---|---|
Date Public: | 2012-05-03 Date First Published: |