{"result": {"cve": [{"id": "CVE-2012-1823", "type": "cve", "title": "CVE-2012-1823", "description": "sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case.", "published": "2012-05-11T06:15:48", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1823", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-09-03T16:28:52"}], "metasploit": [{"id": "MSF:EXPLOIT/MULTI/HTTP/PHP_CGI_ARG_INJECTION", "type": "metasploit", "title": "CVE-2012-1823 PHP CGI Argument Injection ", "description": "When run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to an argument injection vulnerability. This module takes advantage of the -d flag to set php.ini directives to achieve code execution. From the advisory: \"if there is NO unescaped '=' in the query string, the string is split on '+' (encoded space) characters, urldecoded, passed to a function that escapes shell metacharacters (the \"encoded in a system-defined manner\" from the RFC) and then passes them to the CGI binary.\" This module can also be used to exploit the plesk 0day disclosed by kingcope and exploited in the wild on June 2013.", "published": "2012-05-04T15:06:18", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.rapid7.com/db/modules/exploit/multi/http/php_cgi_arg_injection", "cvelist": ["CVE-2012-1823"], "lastseen": "2017-06-05T14:14:01"}], "threatpost": [{"id": "PHP-GROUP-SET-RELEASE-ANOTHER-PATCH-CVE-2012-1823-FLAW-050812/76537", "type": "threatpost", "title": "PHP Group Set to Release Another Patch for CVE-2012-1823 Flaw", "description": "[](<https://threatpost.com/php-group-set-release-another-patch-cve-2012-1823-flaw-050812/>)The PHP Group on Tuesday is planning to release another new version of the scripting language that\u2019s designed to address, again, the [remotely exploitable flaw](<https://threatpost.com/php-group-set-release-another-patch-cve-2012-1823-flaw-050812/>) that came to light last week. That bug, which requires no authentication, was supposed to have been fixed in new releases pushed out on May 3, but they didn\u2019t completely address the problem.\n\nAfter The [PHP Group released new versions](<https://threatpost.com/php-group-releases-new-versions-patch-doesnt-fix-cve-2012-1823-bug-050412/>) of the language, the research team that initially discovered the flaw warned that the fixes didn\u2019t completely address the issue and still left sites vulnerable. The researchers, known as Eindbazen, discovered the vulnerability during a capture the flag competition earlier this year and were working with PHP developers and US-CERT on a fix. But the bug was disclosed accidentally when the PHP internal tracking system mistakenly marked the bug as public before a patch was ready.\n\n### Related Posts\n\n#### [Chrome 53 Fixes Address Spoofing Vulnerability, 32 Other Bugs](<https://threatpost.com/chrome-53-fixes-address-spoofing-vulnerability-32-other-bugs/120305/> \"Permalink to Chrome 53 Fixes Address Spoofing Vulnerability, 32 Other Bugs\" )\n\nSeptember 1, 2016 , 11:52 am\n\n#### [FBI Warned State Election Board Systems of Hacks](<https://threatpost.com/fbi-warned-state-election-board-systems-of-hacks/120198/> \"Permalink to FBI Warned State Election Board Systems of Hacks\" )\n\nAugust 29, 2016 , 5:40 pm\n\n#### [Juniper Acknowledges Equation Group Targeted ScreenOS](<https://threatpost.com/juniper-acknowledges-equation-group-exploits-target-screenos/120042/> \"Permalink to Juniper Acknowledges Equation Group Targeted ScreenOS\" )\n\nAugust 22, 2016 , 1:52 pm\n\nThe PHP Group on Friday released two new versions of the language, but Eindbazen said that they did not completely fix the problem.\n\n\u201cThe new PHP release is buggy. You can use their mitigation mod_rewrite rule, but the patch and new released versions do not fix the problem. At the bottom we have added a version of the PHP patch that fixes the obvious problem with the patch merged in the recently released security update,\u201d the team said. \n\nNow, the PHP developers are planning to push out another new release on Tuesday to hopefully fix the flaw.\n\n\u201cPHP 5.3.12/5.4.2 do not fix all variations of the CGI issues described in CVE-2012-1823. It has also come to our attention that some sites use an insecure cgiwrapper script to run PHP. These scripts will use **$*** instead of **\u201c$@\u201d** to pass parameters to php-cgi which causes a number of issues. Again, people using mod_php or php-fpm are not affected,\u201d The PHP Group said.\n\n\u201cAnother set of releases are planned for Tuesday, May, 8th. These releases will fix the CGI flaw and another CGI-related issue in apache_request_header (5.4 only).\u201d", "published": "2012-05-08T14:46:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://threatpost.com/php-group-set-release-another-patch-cve-2012-1823-flaw-050812/76537/", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-09-04T20:48:12"}, {"id": "PHP-GROUP-RELEASES-NEW-VERSIONS-PATCH-DOESNT-FIX-CVE-2012-1823-BUG-050412/76524", "type": "threatpost", "title": "PHP Group Releases New Versions, But Patch Doesn\u2019t Fix CVE-2012-1823 Bug", "description": "**UPDATE**\u2013The developers of PHP have released new versions of the scripting language to fix a [remotely exploitable vulnerability](<https://threatpost.com/php-group-releases-new-versions-patch-doesnt-fix-cve-2012-1823-bug-050412/>) announced earlier this week that enables an attacker to pass command-line arguments to the PHP binary. The flaw has been in the code for more than eight years and The PHP Group was working on a patch for it when the bug was disclosed accidentally on Reddit. However, the team that found the bug says the new versions of PHP don\u2019t actually fix the vulnerability. \n\nThe new versions of PHP are available now and the developers recommend that users upgrade as soon as possible. PHP versions 5.3.12 and 5.4.2 both contain the fix for the vulnerability. \n\n### Related Posts\n\n#### [Chrome 53 Fixes Address Spoofing Vulnerability, 32 Other Bugs](<https://threatpost.com/chrome-53-fixes-address-spoofing-vulnerability-32-other-bugs/120305/> \"Permalink to Chrome 53 Fixes Address Spoofing Vulnerability, 32 Other Bugs\" )\n\nSeptember 1, 2016 , 11:52 am\n\n#### [FBI Warned State Election Board Systems of Hacks](<https://threatpost.com/fbi-warned-state-election-board-systems-of-hacks/120198/> \"Permalink to FBI Warned State Election Board Systems of Hacks\" )\n\nAugust 29, 2016 , 5:40 pm\n\n#### [Juniper Acknowledges Equation Group Targeted ScreenOS](<https://threatpost.com/juniper-acknowledges-equation-group-exploits-target-screenos/120042/> \"Permalink to Juniper Acknowledges Equation Group Targeted ScreenOS\" )\n\nAugust 22, 2016 , 1:52 pm\n\n\u201cWe\u2019ve tested this and have confirmed that the query parameters are passed to the php5-cgi binary in this configuration. Since the wrapper script merely passes all the arguments on to the actual php-cgi binary, the same problem exists with configurations where php-cgi is directly copied into the cgi-bin directory. It\u2019s interesting to note that while slashes get added to any shell metacharacters we pass in the query string, spaces and dashes (\u2018-\u2019) are not escaped. So we can pass as many options to PHP as we want!\u201d the team that discovered the flaw, known as [Eindbazen](<http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/>), wrote in their analysis of the bug. \n\nEindbazen said in an updated post that the PHP patch isn\u2019t sufficient to fix the bug.\n\n\u201cThe new PHP release is buggy. You can use their mitigation mod_rewrite rule, but the patch and new released versions do not fix the problem. At the bottom we have added a version of the PHP patch that fixes the obvious problem with the patch merged in the recently released security update,\u201d the team said. \n\nThe PHP Group is working on a new fix for the vulnerability now.\n\n\u201cWe have received word that new PHP updates with the revised fix will be released soon. The issue that this problem was not properly fixed by the original security update is being tracked as CVE-2012-2311,\u201d Eindbazen said.\n\nThe PHP Group also had some other problems this week, specifically a problem in its internal bug-handling system that resulted in the private discussion on the CVE-2012-1823 vulnerability being marked as public. That led to the bug being posted to Reddit. The Eindbazen team then posted the details of the bug, which they had discovered in January during a capture the flag contest.\n\n\u201cThere is a vulnerability in certain CGI-based setups **(Apache+mod_php and nginx+php-fpm are not affected)** that has gone unnoticed for at least 8 years. [Section 7 of the CGI spec](<http://tools.ietf.org/html/draft-robinson-www-interface-00#section-7>) states:\n\nSome systems support a method for supplying a [sic] array of strings to the CGI script. This is only used in the case of an `indexed\u2019 query. This is identified by a \u201cGET\u201d or \u201cHEAD\u201d HTTP request with a URL search string not containing any unencoded \u201c=\u201d characters.\n\nSo, requests that do not have a \u201c=\u201d in the query string are treated differently from those who do in some CGI implementations. For PHP this means that a request containing ?-s may dump the PHP source code for the page, but a request that has ?-s&=1 is fine.\n\nA large number of sites run PHP as either an Apache module through mod_php or using php-fpm under nginx. Neither of these setups are vulnerable to this. Straight shebang-style CGI also does not appear to be vulnerable,\u201d the [PHP Group](<http://www.php.net/archive/2012.php#id2012-05-03-1>) said in its release notes for the new versions. \u201cIf you are using Apache mod_cgi to run PHP you may be vulnerable. To see if you are, just add ?-s to the end of any of your URLs. If you see your source code, you are vulnerable. If your site renders normally, you are not.\n\nThe PHP developers said that while the new versions of the language should work for most users, it may not be feasible for some users to update much older versions of PHP. In that case, users can deploy a workaround.\n\n\u201cAn alternative is to configure your web server to not let these types of requests with query strings starting with a \u201c-\u201d and not containing a \u201c=\u201d through. Adding a rule like this should not break any sites,\u201d they said.", "published": "2012-05-04T14:26:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://threatpost.com/php-group-releases-new-versions-patch-doesnt-fix-cve-2012-1823-bug-050412/76524/", "cvelist": ["CVE-2012-2311", "CVE-2012-1823"], "lastseen": "2016-09-04T20:52:11"}, {"id": "NEW-EXPLOITS-ARRIVE-FOR-OLD-PHP-VULNERABILITY/104881", "type": "threatpost", "title": "Exploits for Two-Year-Old PHP Security Vulnerability Found", "description": "Close to two years ago, a [serious vulnerability in PHP was accidentally disclosed](<http://threatpost.com/serious-remote-php-bug-accidentally-disclosed-050312/76517>) after it was discovered months prior during a hacking contest. A patch was released in relatively short order, and one would assume that given PHP\u2019s prevalence as a web development framework, the fix would have been applied just as quickly.\n\nBut given the discovery last October of a new set of exploits for [CVE-2012-1823](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823>), that assumption may not be correct.\n\n### Related Posts\n\n#### [Threatpost News Wrap, September 2, 2016](<https://threatpost.com/threatpost-news-wrap-september-2-2016/120332/> \"Permalink to Threatpost News Wrap, September 2, 2016\" )\n\nSeptember 2, 2016 , 9:00 am\n\n#### [Insecure Redis Instances at Core of Attacks Against Linux Servers](<https://threatpost.com/insecure-redis-instances-at-core-of-attacks-against-linux-servers/120312/> \"Permalink to Insecure Redis Instances at Core of Attacks Against Linux Servers\" )\n\nSeptember 1, 2016 , 1:08 pm\n\n#### [Chrome 53 Fixes Address Spoofing Vulnerability, 32 Other Bugs](<https://threatpost.com/chrome-53-fixes-address-spoofing-vulnerability-32-other-bugs/120305/> \"Permalink to Chrome 53 Fixes Address Spoofing Vulnerability, 32 Other Bugs\" )\n\nSeptember 1, 2016 , 11:52 am\n\nResearchers at [Imperva ](<http://blog.imperva.com/2014/03/threat-advisory-php-cgi-at-your-command.html>)have been watching since Oct. 29 attacks exploiting the PHP bug. Attackers were using the new exploit to deliver arbitrary code to websites running PHP 5.4.x, 5.3.x before 5.4.2 or 5.3.12; those vulnerable versions account for about 16 percent of the sites on the web according to director of security research Barry Shteiman.\n\nThe new exploits were dangerous in that they allowed hackers to abuse an old vulnerability to not only run arbitrary code, but also adapt techniques found in botnets and crimeware kits to inject malware, steal credentials or system data from the server, or move laterally within the data center.\n\n\u201cNot only are we seeing a vulnerability used after it was released so long ago, but what we\u2019re seeing is attackers and professional hackers understanding what vendors understand\u2014people just don\u2019t patch,\u201d Shteiman said. \u201cThey can\u2019t or won\u2019t or are not minded to fix these problems.\u201d\n\nPHP is found on nearly 82 percent of websites today; these attacks target sites where PHP is running with CGI as an option, creating a condition that allows for code execution from the outside. Shteiman said the vulnerability affects a built-in mechanism in PHP that protects itself from exposing files and commands. A configuration flaw allows hackers to first disable the security mechanism, which in turn allows a hacker to run remote code or arbitrarily inject code.\n\n\u201cWith the new exploit, it\u2019s the same relative technique, but what we\u2019ve seen is a lot of automation,\u201d Shteiman said. \u201cThe tool that attacked these systems is running an interesting subset of dictionaries that requires an attacker know where PHP is installed on the server. We\u2019ve seen attackers trying different paths to see which backend contains the [PHP] executable.\u201d\n\nThe big-picture problem is the number of PHP websites still running vulnerable code despite the availability of a patch for close to two years now.\n\n\u201cPHP is installed as an interpreter,\u201d Shteiman said. \u201cReplacing the existing instance of PHP with a new one means downtime. Sometimes you may have to change applications because some things that are now deprecated may require application changes. For that reason, sometimes organizations don\u2019t patch or go a different route. They might use a new framework instead.\u201d\n\nOriginal reports on the vulnerability triggered advisories from a number of organizations, including US-CERT. The bug is a relatively simple one; researchers found that when they passed a specific query string that contained the -s command to PHP in a CGI setup, PHP would interpret the -s as the command line argument and result in the disclosure of the source code for the application. They extended their testing and found they could pass whatever command-line arguments they wanted to the PHP binary.\n\n\u201cYou\u2019d think these bugs would be long forgotten, but it isn\u2019t so; they\u2019re like the undead. Vulnerabilities never die,\u201d Shteiman said. \u201cThey don\u2019t die and we realize if we see this executed by botnets trying to onboard servers and by crimeware kits being sold, that means attackers understand they can rely on old problems because people won\u2019t fix them and attackers don\u2019t have to work too hard.\u201d", "published": "2014-03-19T12:12:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://threatpost.com/new-exploits-arrive-for-old-php-vulnerability/104881/", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-09-04T20:46:43"}, {"id": "ANOTHER-SET-PHP-RELEASES-PUSHED-OUT-FIX-CVE-2012-1823-FLAW-050912/76544", "type": "threatpost", "title": "Another Set of PHP Releases Pushed Out to Fix CVE-2012-1823 Flaw", "description": "For the second time in less than a week, the developers of PHP have released new versions of the language that include a fix for the remotely exploitable vulnerability that was disclosed last week. The group is encouraging users to upgrade to PHP 5.4.3 or 5.3.13 immediately. \n\nThe [vulnerability affects PHP](<https://threatpost.com/another-set-php-releases-pushed-out-fix-cve-2012-1823-flaw-050912/>) sites in CGI-based setups and can enable an attacker to get access to the site\u2019s source code by passing certain queries to the PHP binary as command-line arguments. The bug was disclosed last week before a patch was available through a mistake in the PHP Group\u2019s internal bug-handling system.\n\n### Related Posts\n\n#### [Chrome 53 Fixes Address Spoofing Vulnerability, 32 Other Bugs](<https://threatpost.com/chrome-53-fixes-address-spoofing-vulnerability-32-other-bugs/120305/> \"Permalink to Chrome 53 Fixes Address Spoofing Vulnerability, 32 Other Bugs\" )\n\nSeptember 1, 2016 , 11:52 am\n\n#### [FBI Warned State Election Board Systems of Hacks](<https://threatpost.com/fbi-warned-state-election-board-systems-of-hacks/120198/> \"Permalink to FBI Warned State Election Board Systems of Hacks\" )\n\nAugust 29, 2016 , 5:40 pm\n\n#### [Juniper Acknowledges Equation Group Targeted ScreenOS](<https://threatpost.com/juniper-acknowledges-equation-group-exploits-target-screenos/120042/> \"Permalink to Juniper Acknowledges Equation Group Targeted ScreenOS\" )\n\nAugust 22, 2016 , 1:52 pm\n\n\u201cThe PHP development team would like to announce the immediate availability of PHP 5.4.3 and PHP 5.3.13. All users are encouraged to upgrade to PHP 5.4.3 or PHP 5.3.13\n\nThe releases complete a fix for a [vulnerability](<http://www.php.net/archive/2012.php#id2012-05-03-1>) in CGI-based setups (CVE-2012-2311). _Note: mod_php and php-fpm are not vulnerable to this attack,\u201d _the PHP developers said.\n\n\u201cPHP 5.4.3 fixes a buffer overflow vulnerability in the [apache_request_headers()](<http://php.net/manual/function.apache-request-headers.php>) (CVE-2012-2329). The PHP 5.3 series is not vulnerable to this issue.\u201d\n\nThe PHP Group [released a fix for the bug](<https://threatpost.com/php-group-set-release-another-patch-cve-2012-1823-flaw-050812/>) late last week, but the researchers who discovered the flaw originally found that the new versions didn\u2019t completely address the problem and still left vulnerable sites exposed to attack. There are mitigations available for the bug, as explained by the [Eindbazen](<http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/>) team that found the flaw, but users should upgrade their installations as soon as they can.", "published": "2012-05-09T14:32:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://threatpost.com/another-set-php-releases-pushed-out-fix-cve-2012-1823-flaw-050912/76544/", "cvelist": ["CVE-2012-2311", "CVE-2012-2329"], "lastseen": "2016-09-04T20:53:01"}, {"id": "SERIOUS-REMOTE-PHP-BUG-ACCIDENTALLY-DISCLOSED-050312/76517", "type": "threatpost", "title": "Serious Remote PHP Bug Accidentally Disclosed", "description": "A serious remote-code execution vulnerability in PHP was accidentally disclosed Wednesday, leading to fears of an outbreak of attacks on sites that were built using vulnerable versions of PHP. The bug has been known privately since January when a team of researchers used it in a capture the flag contest and then subsequently reported it to the PHP Group. The developers were still in the process of building the patch for the flaw when it was disclosed Wednesday.\n\nThe vulnerability is a simple one but it has serious consequences. Essentially, the researchers found that when they passed a specific query string that contained the -s command to PHP in a CGI setup, PHP would interpret the -s as the command line argument and result in the disclosure of the source code for the application. They extended their testing and found they could pass whatever command-line arguments they wanted ot the PHP binary.\n\n### Related Posts\n\n#### [Chrome 53 Fixes Address Spoofing Vulnerability, 32 Other Bugs](<https://threatpost.com/chrome-53-fixes-address-spoofing-vulnerability-32-other-bugs/120305/> \"Permalink to Chrome 53 Fixes Address Spoofing Vulnerability, 32 Other Bugs\" )\n\nSeptember 1, 2016 , 11:52 am\n\n#### [FBI Warned State Election Board Systems of Hacks](<https://threatpost.com/fbi-warned-state-election-board-systems-of-hacks/120198/> \"Permalink to FBI Warned State Election Board Systems of Hacks\" )\n\nAugust 29, 2016 , 5:40 pm\n\n#### [Juniper Acknowledges Equation Group Targeted ScreenOS](<https://threatpost.com/juniper-acknowledges-equation-group-exploits-target-screenos/120042/> \"Permalink to Juniper Acknowledges Equation Group Targeted ScreenOS\" )\n\nAugust 22, 2016 , 1:52 pm\n\n\u201cWhen PHP is used in a CGI-based setup (such as Apache\u2019s`mod_cgid`), the `php-cgi` receives a processed query string parameter as command line arguments which allows command-line switches, such as `-s, -d or -c` to be passed to the `php-cgi` binary, which can be exploited to disclose source code and obtain arbitrary code execution,\u201d the [US-CERT](<http://www.kb.cert.org/vuls/id/520827>) said in an advisory published Wednesday. \u201cA remote unauthenticated attacker could obtain sensitive information, cause a denial of service condition or may be able to execute arbitrary code with the privileges of the web server.\u201d\n\nThe team that found the bug, known as Eindbazen, said that they had been waiting for several months for the PHP Group to release a patch for the vulnerability in order to publish information about the bug. However, someone accidentally marked an internal PHP bug as public and it eventually was posted to Reddit. So Eindbazen then published the details of their findings and how it can be exploited. \n\n\u201cWe\u2019ve tested this and have confirmed that the query parameters are passed to the php5-cgi binary in this configuration. Since the wrapper script merely passes all the arguments on to the actual php-cgi binary, the same problem exists with configurations where php-cgi is directly copied into the cgi-bin directory. It\u2019s interesting to note that while slashes get added to any shell metacharacters we pass in the query string, spaces and dashes (\u2018-\u2019) are not escaped. So we can pass as many options to PHP as we want!\u201d they wrote in their analysis of the [PHP CVE-2012-1823 vulnerability](<http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/>). \n\n\u201cThere is one slight complication: php5-cgi behaves differently depending on which environment variables have been set, disabling the flag -r for direct code execution among others. However, this can be trivially bypassed. We\u2019re removing the remote code execution PoC out of an abundance of caution, but at this point anyone should be able to figure this out. And for the record: safe_mode, allow_url_include and other security-related ini settings will not save you.\u201d\n\nPHP is one of the more popular scripting languages used in Web development. Since the time that the Eindbazen team reported the bug to the PHP Group, there have been several new versions of the language released, with various other security fixes, but without a patch for the CVE-2012-1863 bug. Right now, there is no patch available for the flaw discovered by the Eindbazen team, however they list a couple of technical workarounds in their post and have produced a file that includes both of them that users can [download](<http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/>).", "published": "2012-05-03T14:09:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://threatpost.com/serious-remote-php-bug-accidentally-disclosed-050312/76517/", "cvelist": ["CVE-2012-1823", "CVE-2012-1863"], "lastseen": "2016-09-04T20:50:36"}], "cert": [{"id": "VU:673343", "type": "cert", "title": "Parallels Plesk Panel phppath/php vulnerability", "description": "### Overview\n\nParallels Plesk Panel versions 9.0 - 9.2.3 on Linux platforms are vulnerable to remote code execution.\n\n### Description\n\nParallels Plesk Panel versions 9.0 - 9.2.3 on Linux platforms may be exploited by a combination of [CVE-2012-1823](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823>) and the Plesk phppath script alias usage. There have been reports that this vulnerability is being exploited in the wild. \n \n--- \n \n### Impact\n\nA remote unauthenticated attacker may be able to run arbitrary code under the context of the web server user. \n \n--- \n \n### Solution\n\n**Apply an Update**\n\nParallels Plesk Panel 9.0 - 9.2.3 have been considered [end-of-life](<http://www.parallels.com/products/plesk/lifecycle>) software for over 3 years. Users should upgrade to at least 9.5.4 or later. Parallels will provide additional workaround mitigations in[ Knowledge base article 116241](<http://kb.parallels.com/116241>) soon. \n \nPlease consider the following workarounds if you are unable to upgrade. \n \n--- \n \n**Update PHP** \n \n[Update PHP](<http://www.php.net/archive/2012.php#id2012-05-03-1>) to protect against CVE-2012-1823. \n \n**Restrict Access** \n \nDo not allow untrusted networks to connect to the Plesk Panel. \n \n--- \n \n### Vendor Information \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nParallels Holdings Ltd| | 06 Jun 2013| 07 Jun 2013 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23673343 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P \nTemporal | 6.5 | E:H/RL:OF/RC:C \nEnvironmental | 4.9 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND \n \n### References\n\n * <http://kb.parallels.com/116241>\n * <http://kb.parallels.com/en/113818>\n * <http://www.parallels.com/products/plesk/lifecycle>\n * <http://seclists.org/fulldisclosure/2013/Jun/21>\n * <http://blogs.cisco.com/security/plesk-0-day-targets-web-servers/>\n * <http://kb.parallels.com/en/113814>\n * <http://www.php.net/archive/2012.php#id2012-05-03-1>\n * <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823>\n\n### Credit\n\nKingcope published an exploit for this vulnerability to the Full Disclosure mailing list.\n\nThis document was written by Jared Allar.\n\n### Other Information\n\n * CVE IDs: [CVE-2012-1823](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1823>)\n * Date Public: 05 Jun 2013\n * Date First Published: 07 Jun 2013\n * Date Last Updated: 07 Jun 2013\n * Document Revision: 15\n\n", "published": "2013-06-07T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.kb.cert.org/vuls/id/673343", "cvelist": ["CVE-2012-1823", "CVE-2012-1823", "CVE-2012-1823", "CVE-2012-1823", "CVE-2012-1823", "CVE-2012-1823"], "lastseen": "2016-02-03T09:13:22"}, {"id": "VU:520827", "type": "cert", "title": "PHP-CGI query string parameter vulnerability", "description": "### Overview\n\nPHP-CGI-based setups contain a vulnerability when parsing query string parameters from php files.\n\n### Description\n\nAccording to PHP's [website](<http://php.net/>), \"PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML.\" When PHP is used in a CGI-based setup (such as Apache's `mod_cgid`), the `php-cgi` receives a processed query string parameter as command line arguments which allows command-line switches, such as `-s, -d or -c` to be passed to the `php-cgi` binary, which can be exploited to disclose source code and obtain arbitrary code execution. \n\nAn example of the `-s` command, allowing an attacker to view the source code of `index.php` is below: \n\n`<http://localhost/index.php?-s>` \nAdditional information can be found in the vulnerability reporter's [blog post](<http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/>). \n \n--- \n \n### Impact\n\nA remote unauthenticated attacker could obtain sensitive information, cause a denial of service condition or may be able to execute arbitrary code with the privileges of the web server. \n \n--- \n \n### Solution\n\n**Apply update** \n \nPHP has released version [5.4.3](<http://www.php.net/archive/2012.php#id2012-05-08-1>) and [5.3.13](<http://www.php.net/archive/2012.php#id2012-05-08-1>) to address this vulnerability. PHP is recommending that users upgrade to the latest version of PHP. \n \nPHP has stated, _PHP 5.3.12/5.4.2 do not fix all variations of the CGI issues described in CVE-2012-1823. It has also come to our attention that some sites use an insecure cgiwrapper script to run PHP. These scripts will use $* instead of \"$@\" to pass parameters to php-cgi which causes a number of issues._ \n \n--- \n \n**Apply mod_rewrite rule** \n \n_PHP has _[_stated _](<http://www.php.net/archive/2012.php#id2012-05-03-1>)_an alternative is to configure your web server to not let these types of requests with query strings starting with a \"-\" and not containing a \"=\" through. Adding a rule like this should not break any sites. For Apache using mod_rewrite it would look like this_: \n\n\n` RewriteCond %{QUERY_STRING} ^[^=]*$` \n` RewriteCond %{QUERY_STRING} %2d|\\- [NC]` \n` RewriteRule .? - [F,L]` \n \n--- \n \n### Vendor Information \n\nAccording to PHP's [website](<http://www.php.net/archive/2012.php#id2012-05-03-1>) _Apache+mod_php and nginx+php-fpm are not affected._ \n \n--- \nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nThe PHP Group| | 23 Feb 2012| 08 May 2012 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23520827 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 9.0 | AV:N/AC:L/Au:N/C:C/I:P/A:P \nTemporal | 8.5 | E:F/RL:U/RC:C \nEnvironmental | 8.7 | CDP:L/TD:H/CR:ND/IR:ND/AR:ND \n \n### References\n\n * <http://www.php.net/>\n * <http://www.php.net/manual/en/security.cgi-bin.php>\n * <http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/>\n * <http://www.php.net/archive/2012.php#id2012-05-03-1>\n * <http://www.php.net/archive/2012.php#id2012-05-08-1>\n * <http://www.symantec.com/connect/blogs/linux-worm-targeting-hidden-devices>\n\n### Credit\n\nThanks to De Eindbazen for reporting this vulnerability.\n\nThis document was written by Michael Orlando.\n\n### Other Information\n\n * CVE IDs: [CVE-2012-1823](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1823>) [CVE-2012-2311](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2311>)\n * Date Public: 03 May 2012\n * Date First Published: 03 May 2012\n * Date Last Updated: 01 Dec 2013\n * Document Revision: 49\n\n", "published": "2012-05-03T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.kb.cert.org/vuls/id/520827", "cvelist": ["CVE-2012-2311", "CVE-2012-2311", "CVE-2012-1823", "CVE-2012-1823", "CVE-2012-1823"], "lastseen": "2016-02-03T09:12:33"}], "openvas": [{"id": "OPENVAS:870593", "type": "openvas", "title": "RedHat Update for php RHSA-2012:0546-01", "description": "Check for the Version of php", "published": "2012-05-08T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=870593", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-09-26T20:39:26"}, {"id": "OPENVAS:881180", "type": "openvas", "title": "CentOS Update for php53 CESA-2012:0547 centos5 ", "description": "Check for the Version of php53", "published": "2012-07-30T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=881180", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-09-26T20:39:13"}, {"id": "OPENVAS:123924", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2012-0546", "description": "Oracle Linux Local Security Checks ELSA-2012-0546", "published": "2015-10-06T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=123924", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-11-16T16:43:35"}, {"id": "OPENVAS:71384", "type": "openvas", "title": "FreeBSD Ports: php5", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "published": "2012-05-31T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=71384", "cvelist": ["CVE-2012-1823"], "lastseen": "2017-05-02T06:29:07"}, {"id": "OPENVAS:120147", "type": "openvas", "title": "Amazon Linux Local Check: ALAS-2012-77", "description": "Amazon Linux Local Security Checks", "published": "2015-09-08T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=120147", "cvelist": ["CVE-2012-1823"], "lastseen": "2017-05-04T06:29:12"}, {"id": "OPENVAS:881206", "type": "openvas", "title": "CentOS Update for php CESA-2012:0546 centos6 ", "description": "Check for the Version of php", "published": "2012-07-30T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=881206", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-09-26T20:39:24"}, {"id": "OPENVAS:881165", "type": "openvas", "title": "CentOS Update for php CESA-2012:0546 centos5 ", "description": "Check for the Version of php", "published": "2012-07-30T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=881165", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-09-26T20:39:32"}, {"id": "OPENVAS:870591", "type": "openvas", "title": "RedHat Update for php53 RHSA-2012:0547-01", "description": "Check for the Version of php53", "published": "2012-05-08T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=870591", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-09-26T20:39:10"}, {"id": "OPENVAS:831624", "type": "openvas", "title": "Mandriva Update for php MDVSA-2012:068 (php)", "description": "Check for the Version of php", "published": "2012-08-03T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=831624", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-09-26T20:39:32"}, {"id": "OPENVAS:123926", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2012-0547", "description": "Oracle Linux Local Security Checks ELSA-2012-0547", "published": "2015-10-06T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=123926", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-11-16T16:43:30"}], "nessus": [{"id": "ORACLELINUX_ELSA-2012-0547.NASL", "type": "nessus", "title": "Oracle Linux 5 : php53 (ELSA-2012-0547)", "description": "From Red Hat Security Advisory 2012:0547 :\n\nUpdated php53 packages that fix one security issue are now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nPHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.\n\nA flaw was found in the way the php-cgi executable processed command line arguments when running in CGI mode. A remote attacker could send a specially crafted request to a PHP script that would result in the query string being parsed by php-cgi as command line options and arguments. This could lead to the disclosure of the script's source code or arbitrary code execution with the privileges of the PHP interpreter. (CVE-2012-1823)\n\nRed Hat is aware that a public exploit for this issue is available that allows remote code execution in affected PHP CGI configurations.\nThis flaw does not affect the default configuration using the PHP module for Apache httpd to handle PHP scripts.\n\nAll php53 users should upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.", "published": "2013-07-12T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=68525", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-09-26T17:26:46"}, {"id": "REDHAT-RHSA-2012-0546.NASL", "type": "nessus", "title": "RHEL 5 / 6 : php (RHSA-2012:0546)", "description": "Updated php packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nPHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.\n\nA flaw was found in the way the php-cgi executable processed command line arguments when running in CGI mode. A remote attacker could send a specially crafted request to a PHP script that would result in the query string being parsed by php-cgi as command line options and arguments. This could lead to the disclosure of the script's source code or arbitrary code execution with the privileges of the PHP interpreter. (CVE-2012-1823)\n\nRed Hat is aware that a public exploit for this issue is available that allows remote code execution in affected PHP CGI configurations.\nThis flaw does not affect the default configuration in Red Hat Enterprise Linux 5 and 6 using the PHP module for Apache httpd to handle PHP scripts.\n\nAll php users should upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.", "published": "2012-05-08T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=59030", "cvelist": ["CVE-2012-1823"], "lastseen": "2017-01-06T02:17:16"}, {"id": "CENTOS_RHSA-2012-0547.NASL", "type": "nessus", "title": "CentOS 5 : php53 (CESA-2012:0547)", "description": "Updated php53 packages that fix one security issue are now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nPHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.\n\nA flaw was found in the way the php-cgi executable processed command line arguments when running in CGI mode. A remote attacker could send a specially crafted request to a PHP script that would result in the query string being parsed by php-cgi as command line options and arguments. This could lead to the disclosure of the script's source code or arbitrary code execution with the privileges of the PHP interpreter. (CVE-2012-1823)\n\nRed Hat is aware that a public exploit for this issue is available that allows remote code execution in affected PHP CGI configurations.\nThis flaw does not affect the default configuration using the PHP module for Apache httpd to handle PHP scripts.\n\nAll php53 users should upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.", "published": "2012-05-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=59058", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-09-26T17:26:05"}, {"id": "SL_20120507_PHP_ON_SL5_X.NASL", "type": "nessus", "title": "Scientific Linux Security Update : php on SL5.x, SL6.x i386/x86_64", "description": "PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.\n\nA flaw was found in the way the php-cgi executable processed command line arguments when running in CGI mode. A remote attacker could send a specially crafted request to a PHP script that would result in the query string being parsed by php-cgi as command line options and arguments. This could lead to the disclosure of the script's source code or arbitrary code execution with the privileges of the PHP interpreter. (CVE-2012-1823)\n\nScientific Linux is aware that a public exploit for this issue is available that allows remote code execution in affected PHP CGI configurations. This flaw does not affect the default configuration in Scientific Linux 5 and 6 using the PHP module for Apache httpd to handle PHP scripts.\n\nAll php users should upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.", "published": "2012-08-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=61312", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-09-26T17:23:52"}, {"id": "CENTOS_RHSA-2012-0546.NASL", "type": "nessus", "title": "CentOS 5 / 6 : php (CESA-2012:0546)", "description": "Updated php packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nPHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.\n\nA flaw was found in the way the php-cgi executable processed command line arguments when running in CGI mode. A remote attacker could send a specially crafted request to a PHP script that would result in the query string being parsed by php-cgi as command line options and arguments. This could lead to the disclosure of the script's source code or arbitrary code execution with the privileges of the PHP interpreter. (CVE-2012-1823)\n\nRed Hat is aware that a public exploit for this issue is available that allows remote code execution in affected PHP CGI configurations.\nThis flaw does not affect the default configuration in Red Hat Enterprise Linux 5 and 6 using the PHP module for Apache httpd to handle PHP scripts.\n\nAll php users should upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.", "published": "2012-05-08T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=59021", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-09-26T17:25:22"}, {"id": "ORACLELINUX_ELSA-2012-0546.NASL", "type": "nessus", "title": "Oracle Linux 5 / 6 : php (ELSA-2012-0546)", "description": "From Red Hat Security Advisory 2012:0546 :\n\nUpdated php packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nPHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.\n\nA flaw was found in the way the php-cgi executable processed command line arguments when running in CGI mode. A remote attacker could send a specially crafted request to a PHP script that would result in the query string being parsed by php-cgi as command line options and arguments. This could lead to the disclosure of the script's source code or arbitrary code execution with the privileges of the PHP interpreter. (CVE-2012-1823)\n\nRed Hat is aware that a public exploit for this issue is available that allows remote code execution in affected PHP CGI configurations.\nThis flaw does not affect the default configuration in Red Hat Enterprise Linux 5 and 6 using the PHP module for Apache httpd to handle PHP scripts.\n\nAll php users should upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.", "published": "2013-07-12T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=68524", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-09-26T17:23:00"}, {"id": "REDHAT-RHSA-2012-0569.NASL", "type": "nessus", "title": "RHEL 5 : php53 (RHSA-2012:0569)", "description": "Updated php53 packages that fix one security issue are now available for Red Hat Enterprise Linux 5.6 Extended Update Support.\n\nThe Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nPHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.\n\nA flaw was found in the way the php-cgi executable processed command line arguments when running in CGI mode. A remote attacker could send a specially crafted request to a PHP script that would result in the query string being parsed by php-cgi as command line options and arguments. This could lead to the disclosure of the script's source code or arbitrary code execution with the privileges of the PHP interpreter. (CVE-2012-1823)\n\nRed Hat is aware that a public exploit for this issue is available that allows remote code execution in affected PHP CGI configurations.\nThis flaw does not affect the default configuration using the PHP module for Apache httpd to handle PHP scripts.\n\nAll php53 users should upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.", "published": "2013-01-24T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=64036", "cvelist": ["CVE-2012-1823"], "lastseen": "2017-01-06T02:14:58"}, {"id": "SL_20120507_PHP53_ON_SL5_X.NASL", "type": "nessus", "title": "Scientific Linux Security Update : php53 on SL5.x i386/x86_64", "description": "PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.\n\nA flaw was found in the way the php-cgi executable processed command line arguments when running in CGI mode. A remote attacker could send a specially crafted request to a PHP script that would result in the query string being parsed by php-cgi as command line options and arguments. This could lead to the disclosure of the script's source code or arbitrary code execution with the privileges of the PHP interpreter. (CVE-2012-1823) \n\nScientific Linux is aware that a public exploit for this issue is available that allows remote code execution in affected PHP CGI configurations. This flaw does not affect the default configuration using the PHP module for Apache httpd to handle PHP scripts.\n\nAll php53 users should upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.", "published": "2012-08-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=61311", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-09-26T17:25:37"}, {"id": "PHP_5_4_2.NASL", "type": "nessus", "title": "PHP < 5.3.12 / 5.4.2 CGI Query String Code Execution", "description": "According to its banner, the version of PHP installed on the remote host is earlier than 5.3.12 / 5.4.2, and as such is potentially affected by a remote code execution and information disclosure vulnerability. \n\nAn error in the file 'sapi/cgi/cgi_main.c' can allow a remote attacker to obtain PHP source code from the web server or to potentially execute arbitrary code. In vulnerable configurations, PHP treats certain query string parameters as command line arguments including switches such as '-s', '-d', and '-c'. \n\nNote that this vulnerability is exploitable only when PHP is used in CGI-based configurations. Apache with 'mod_php' is not an exploitable configuration.", "published": "2012-05-04T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=58988", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-11-24T09:26:06"}, {"id": "REDHAT-RHSA-2012-0568.NASL", "type": "nessus", "title": "RHEL 5 / 6 : php (RHSA-2012:0568)", "description": "Updated php packages that fix one security issue are now available for Red Hat Enterprise Linux 5.3 Long Life, and Red Hat Enterprise Linux 5.6, 6.0 and 6.1 Extended Update Support.\n\nThe Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nPHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.\n\nA flaw was found in the way the php-cgi executable processed command line arguments when running in CGI mode. A remote attacker could send a specially crafted request to a PHP script that would result in the query string being parsed by php-cgi as command line options and arguments. This could lead to the disclosure of the script's source code or arbitrary code execution with the privileges of the PHP interpreter. (CVE-2012-1823)\n\nRed Hat is aware that a public exploit for this issue is available that allows remote code execution in affected PHP CGI configurations.\nThis flaw does not affect the default configuration in Red Hat Enterprise Linux 5 and 6 using the PHP module for Apache httpd to handle PHP scripts.\n\nAll php users should upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.", "published": "2013-01-24T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=64035", "cvelist": ["CVE-2012-1823"], "lastseen": "2017-01-06T02:15:41"}], "zdt": [{"id": "1337DAY-ID-21429", "type": "zdt", "title": "Apache Magicka Remote Code Execution Vulnerability", "description": "Apache and PHP remote command execution exploit that leverages php5-cgi.", "published": "2013-10-31T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://0day.today/exploit/description/21429", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-04-20T01:16:46"}], "redhat": [{"id": "RHSA-2012:0546", "type": "redhat", "title": "(RHSA-2012:0546) Critical: php security update", "description": "PHP is an HTML-embedded scripting language commonly used with the Apache\nHTTP Server.\n\nA flaw was found in the way the php-cgi executable processed command line\narguments when running in CGI mode. A remote attacker could send a\nspecially-crafted request to a PHP script that would result in the query\nstring being parsed by php-cgi as command line options and arguments. This\ncould lead to the disclosure of the script's source code or arbitrary code\nexecution with the privileges of the PHP interpreter. (CVE-2012-1823)\n\nRed Hat is aware that a public exploit for this issue is available that\nallows remote code execution in affected PHP CGI configurations. This flaw\ndoes not affect the default configuration in Red Hat Enterprise Linux 5 and\n6 using the PHP module for Apache httpd to handle PHP scripts.\n\nAll php users should upgrade to these updated packages, which contain a\nbackported patch to resolve this issue. After installing the updated\npackages, the httpd daemon must be restarted for the update to take effect.\n", "published": "2012-05-07T04:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2012:0546", "cvelist": ["CVE-2012-1823"], "lastseen": "2017-03-04T13:18:29"}, {"id": "RHSA-2012:0547", "type": "redhat", "title": "(RHSA-2012:0547) Critical: php53 security update", "description": "PHP is an HTML-embedded scripting language commonly used with the Apache\nHTTP Server.\n\nA flaw was found in the way the php-cgi executable processed command line\narguments when running in CGI mode. A remote attacker could send a \nspecially-crafted request to a PHP script that would result in the query\nstring being parsed by php-cgi as command line options and arguments. This \ncould lead to the disclosure of the script's source code or arbitrary code \nexecution with the privileges of the PHP interpreter. (CVE-2012-1823) \n\nRed Hat is aware that a public exploit for this issue is available that \nallows remote code execution in affected PHP CGI configurations. This flaw \ndoes not affect the default configuration using the PHP module for Apache \nhttpd to handle PHP scripts.\n\nAll php53 users should upgrade to these updated packages, which contain a\nbackported patch to resolve this issue. After installing the updated\npackages, the httpd daemon must be restarted for the update to take effect.\n", "published": "2012-05-07T04:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2012:0547", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-09-04T11:17:56"}, {"id": "RHSA-2012:0569", "type": "redhat", "title": "(RHSA-2012:0569) Critical: php53 security update", "description": "PHP is an HTML-embedded scripting language commonly used with the Apache\nHTTP Server.\n\nA flaw was found in the way the php-cgi executable processed command line\narguments when running in CGI mode. A remote attacker could send a\nspecially-crafted request to a PHP script that would result in the query\nstring being parsed by php-cgi as command line options and arguments. This\ncould lead to the disclosure of the script's source code or arbitrary code\nexecution with the privileges of the PHP interpreter. (CVE-2012-1823)\n\nRed Hat is aware that a public exploit for this issue is available that\nallows remote code execution in affected PHP CGI configurations. This flaw\ndoes not affect the default configuration using the PHP module for Apache\nhttpd to handle PHP scripts.\n\nAll php53 users should upgrade to these updated packages, which contain a\nbackported patch to resolve this issue. After installing the updated\npackages, the httpd daemon must be restarted for the update to take effect.\n", "published": "2012-05-10T04:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2012:0569", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-09-04T11:17:46"}, {"id": "RHSA-2012:0568", "type": "redhat", "title": "(RHSA-2012:0568) Critical: php security update", "description": "PHP is an HTML-embedded scripting language commonly used with the Apache\nHTTP Server.\n\nA flaw was found in the way the php-cgi executable processed command line\narguments when running in CGI mode. A remote attacker could send a\nspecially-crafted request to a PHP script that would result in the query\nstring being parsed by php-cgi as command line options and arguments. This\ncould lead to the disclosure of the script's source code or arbitrary code\nexecution with the privileges of the PHP interpreter. (CVE-2012-1823)\n\nRed Hat is aware that a public exploit for this issue is available that\nallows remote code execution in affected PHP CGI configurations. This flaw\ndoes not affect the default configuration in Red Hat Enterprise Linux 5 and\n6 using the PHP module for Apache httpd to handle PHP scripts.\n\nAll php users should upgrade to these updated packages, which contain a\nbackported patch to resolve this issue. After installing the updated\npackages, the httpd daemon must be restarted for the update to take effect.\n", "published": "2012-05-10T04:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2012:0568", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-09-04T11:17:59"}, {"id": "RHSA-2012:1045", "type": "redhat", "title": "(RHSA-2012:1045) Moderate: php security update", "description": "PHP is an HTML-embedded scripting language commonly used with the Apache\nHTTP Server.\n\nIt was discovered that the PHP XSL extension did not restrict the file\nwriting capability of libxslt. A remote attacker could use this flaw to\ncreate or overwrite an arbitrary file that is writable by the user running\nPHP, if a PHP script processed untrusted eXtensible Style Sheet Language\nTransformations (XSLT) content. (CVE-2012-0057)\n\nNote: This update disables file writing by default. A new PHP configuration\ndirective, \"xsl.security_prefs\", can be used to enable file writing in\nXSLT.\n\nA flaw was found in the way PHP validated file names in file upload\nrequests. A remote attacker could possibly use this flaw to bypass the\nsanitization of the uploaded file names, and cause a PHP script to store\nthe uploaded file in an unexpected directory, by using a directory\ntraversal attack. (CVE-2012-1172)\n\nIt was discovered that the fix for CVE-2012-1823, released via\nRHSA-2012:0546, did not properly filter all php-cgi command line arguments.\nA specially-crafted request to a PHP script could cause the PHP interpreter\nto output usage information that triggers an Internal Server Error.\n(CVE-2012-2336)\n\nA memory leak flaw was found in the PHP strtotime() function call. A remote\nattacker could possibly use this flaw to cause excessive memory consumption\nby triggering many strtotime() function calls. (CVE-2012-0789)\n\nIt was found that PHP did not check the zend_strndup() function's return\nvalue in certain cases. A remote attacker could possibly use this flaw to\ncrash a PHP application. (CVE-2011-4153)\n\nAll php users should upgrade to these updated packages, which contain\nbackported patches to resolve these issues. After installing the updated\npackages, the httpd daemon must be restarted for the update to take effect.\n", "published": "2012-06-27T04:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2012:1045", "cvelist": ["CVE-2012-2336", "CVE-2012-0789", "CVE-2012-1823", "CVE-2012-0057", "CVE-2012-1172", "CVE-2011-4153"], "lastseen": "2016-11-25T14:52:22"}, {"id": "RHSA-2012:1047", "type": "redhat", "title": "(RHSA-2012:1047) Moderate: php53 security update", "description": "PHP is an HTML-embedded scripting language commonly used with the Apache\nHTTP Server.\n\nIt was discovered that the PHP XSL extension did not restrict the file\nwriting capability of libxslt. A remote attacker could use this flaw to\ncreate or overwrite an arbitrary file that is writable by the user running\nPHP, if a PHP script processed untrusted eXtensible Style Sheet Language\nTransformations (XSLT) content. (CVE-2012-0057)\n\nNote: This update disables file writing by default. A new PHP configuration\ndirective, \"xsl.security_prefs\", can be used to enable file writing in\nXSLT.\n\nA flaw was found in the way PHP validated file names in file upload\nrequests. A remote attacker could possibly use this flaw to bypass the\nsanitization of the uploaded file names, and cause a PHP script to store\nthe uploaded file in an unexpected directory, by using a directory\ntraversal attack. (CVE-2012-1172)\n\nMultiple integer overflow flaws, leading to heap-based buffer overflows,\nwere found in the way the PHP phar extension processed certain fields of\ntar archive files. A remote attacker could provide a specially-crafted tar\narchive file that, when processed by a PHP application using the phar\nextension, could cause the application to crash or, potentially, execute\narbitrary code with the privileges of the user running PHP. (CVE-2012-2386)\n\nA format string flaw was found in the way the PHP phar extension processed\ncertain PHAR files. A remote attacker could provide a specially-crafted\nPHAR file, which once processed in a PHP application using the phar\nextension, could lead to information disclosure and possibly arbitrary code\nexecution via a crafted phar:// URI. (CVE-2010-2950)\n\nA flaw was found in the DES algorithm implementation in the crypt()\npassword hashing function in PHP. If the password string to be hashed\ncontained certain characters, the remainder of the string was ignored when\ncalculating the hash, significantly reducing the password strength.\n(CVE-2012-2143)\n\nNote: With this update, passwords are no longer truncated when performing\nDES hashing. Therefore, new hashes of the affected passwords will not match\nstored hashes generated using vulnerable PHP versions, and will need to be\nupdated.\n\nIt was discovered that the fix for CVE-2012-1823, released via\nRHSA-2012:0547, did not properly filter all php-cgi command line arguments.\nA specially-crafted request to a PHP script could cause the PHP interpreter\nto execute the script in a loop, or output usage information that triggers\nan Internal Server Error. (CVE-2012-2336)\n\nA memory leak flaw was found in the PHP strtotime() function call. A remote\nattacker could possibly use this flaw to cause excessive memory consumption\nby triggering many strtotime() function calls. (CVE-2012-0789)\n\nIt was found that PHP did not check the zend_strndup() function's return\nvalue in certain cases. A remote attacker could possibly use this flaw to\ncrash a PHP application. (CVE-2011-4153)\n\nUpstream acknowledges Rubin Xu and Joseph Bonneau as the original reporters\nof CVE-2012-2143.\n\nAll php53 users should upgrade to these updated packages, which contain\nbackported patches to resolve these issues. After installing the updated\npackages, the httpd daemon must be restarted for the update to take effect.\n", "published": "2012-06-27T04:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2012:1047", "cvelist": ["CVE-2012-2336", "CVE-2012-2386", "CVE-2012-0789", "CVE-2012-1823", "CVE-2012-2143", "CVE-2012-0057", "CVE-2012-1172", "CVE-2010-2950", "CVE-2011-4153"], "lastseen": "2016-11-25T14:52:36"}, {"id": "RHSA-2012:1046", "type": "redhat", "title": "(RHSA-2012:1046) Moderate: php security update", "description": "PHP is an HTML-embedded scripting language commonly used with the Apache\nHTTP Server.\n\nIt was discovered that the PHP XSL extension did not restrict the file\nwriting capability of libxslt. A remote attacker could use this flaw to\ncreate or overwrite an arbitrary file that is writable by the user running\nPHP, if a PHP script processed untrusted eXtensible Style Sheet Language\nTransformations (XSLT) content. (CVE-2012-0057)\n\nNote: This update disables file writing by default. A new PHP configuration\ndirective, \"xsl.security_prefs\", can be used to enable file writing in\nXSLT.\n\nA flaw was found in the way PHP validated file names in file upload\nrequests. A remote attacker could possibly use this flaw to bypass the\nsanitization of the uploaded file names, and cause a PHP script to store\nthe uploaded file in an unexpected directory, by using a directory\ntraversal attack. (CVE-2012-1172)\n\nMultiple integer overflow flaws, leading to heap-based buffer overflows,\nwere found in the way the PHP phar extension processed certain fields of\ntar archive files. A remote attacker could provide a specially-crafted tar\narchive file that, when processed by a PHP application using the phar\nextension, could cause the application to crash or, potentially, execute\narbitrary code with the privileges of the user running PHP. (CVE-2012-2386)\n\nA format string flaw was found in the way the PHP phar extension processed\ncertain PHAR files. A remote attacker could provide a specially-crafted\nPHAR file, which once processed in a PHP application using the phar\nextension, could lead to information disclosure and possibly arbitrary code\nexecution via a crafted phar:// URI. (CVE-2010-2950)\n\nA flaw was found in the DES algorithm implementation in the crypt()\npassword hashing function in PHP. If the password string to be hashed\ncontained certain characters, the remainder of the string was ignored when\ncalculating the hash, significantly reducing the password strength.\n(CVE-2012-2143)\n\nNote: With this update, passwords are no longer truncated when performing\nDES hashing. Therefore, new hashes of the affected passwords will not match\nstored hashes generated using vulnerable PHP versions, and will need to be\nupdated.\n\nIt was discovered that the fix for CVE-2012-1823, released via\nRHSA-2012:0546, did not properly filter all php-cgi command line arguments.\nA specially-crafted request to a PHP script could cause the PHP interpreter\nto execute the script in a loop, or output usage information that triggers\nan Internal Server Error. (CVE-2012-2336)\n\nA memory leak flaw was found in the PHP strtotime() function call. A remote\nattacker could possibly use this flaw to cause excessive memory consumption\nby triggering many strtotime() function calls. (CVE-2012-0789)\n\nA NULL pointer dereference flaw was found in the PHP tidy_diagnose()\nfunction. A remote attacker could use specially-crafted input to crash an\napplication that uses tidy::diagnose. (CVE-2012-0781)\n\nIt was found that PHP did not check the zend_strndup() function's return\nvalue in certain cases. A remote attacker could possibly use this flaw to\ncrash a PHP application. (CVE-2011-4153)\n\nUpstream acknowledges Rubin Xu and Joseph Bonneau as the original reporters\nof CVE-2012-2143.\n\nAll php users should upgrade to these updated packages, which contain\nbackported patches to resolve these issues. After installing the updated\npackages, the httpd daemon must be restarted for the update to take effect.\n", "published": "2012-06-27T04:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2012:1046", "cvelist": ["CVE-2012-2336", "CVE-2012-2386", "CVE-2012-0789", "CVE-2012-1823", "CVE-2012-2143", "CVE-2012-0781", "CVE-2012-0057", "CVE-2012-1172", "CVE-2010-2950", "CVE-2011-4153"], "lastseen": "2017-03-07T05:18:48"}], "packetstorm": [{"id": "PACKETSTORM:112486", "type": "packetstorm", "title": "PHP CGI Injection ", "description": "", "published": "2012-05-06T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://packetstormsecurity.com/files/112486/PHP-CGI-Injection.html", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-12-05T22:25:20"}, {"id": "PACKETSTORM:123833", "type": "packetstorm", "title": "Apache / PHP Remote Command Execution", "description": "", "published": "2013-10-29T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://packetstormsecurity.com/files/123833/Apache-PHP-Remote-Command-Execution.html", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-12-05T22:24:41"}, {"id": "PACKETSTORM:112971", "type": "packetstorm", "title": "PHP CGI Argument Injection", "description": "", "published": "2012-05-22T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://packetstormsecurity.com/files/112971/PHP-CGI-Argument-Injection.html", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-12-05T22:23:39"}, {"id": "PACKETSTORM:112477", "type": "packetstorm", "title": "PHP CGI Argument Injection", "description": "", "published": "2012-05-06T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://packetstormsecurity.com/files/112477/PHP-CGI-Argument-Injection.html", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-12-05T22:20:30"}, {"id": "PACKETSTORM:119075", "type": "packetstorm", "title": "PHP-CGI Argument Injection Remote Code Execution", "description": "", "published": "2012-12-24T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://packetstormsecurity.com/files/119075/PHP-CGI-Argument-Injection-Remote-Code-Execution.html", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-12-05T22:23:14"}, {"id": "PACKETSTORM:123859", "type": "packetstorm", "title": "Apache + PHP 5.x Remote Code Execution Python Exploit #2", "description": "", "published": "2013-10-31T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://packetstormsecurity.com/files/123859/Apache-PHP-5.x-Remote-Code-Execution-Python-Exploit-2.html", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-12-05T22:13:04"}], "nmap": [{"id": "NMAP:HTTP-VULN-CVE2012-1823.NSE", "type": "nmap", "title": "http-vuln-cve2012-1823 NSE Script", "description": "Detects PHP-CGI installations that are vulnerable to CVE-2012-1823, This critical vulnerability allows attackers to retrieve source code and execute code remotely. \n\nThe script works by appending \"?-s\" to the uri to make vulnerable php-cgi handlers return colour syntax highlighted source. We use the pattern \"<span style=.*>&lt;?\" to detect vulnerable installations.\n\n## Script Arguments \n\n#### http-vuln-cve2012-1823.uri \n\nURI. Default: /index.php\n\n#### http-vuln-cve2012-1823.cmd \n\nCMD. Default: uname -a\n\n#### slaxml.debug \n\nSee the documentation for the slaxml library. \n\n#### http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent \n\nSee the documentation for the http library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the smbauth library. \n\n#### vulns.short, vulns.showall \n\nSee the documentation for the vulns library. \n\n## Example Usage \n \n \n nmap -sV --script http-vuln-cve2012-1823 <target>\n nmap -p80 --script http-vuln-cve2012-1823 --script-args http-vuln-cve2012-1823.uri=/test.php <target>\n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 80/tcp open http syn-ack\n | http-vuln-cve2012-1823:\n | VULNERABLE:\n | PHP-CGI Remote code execution and source code disclosure\n | State: VULNERABLE (Exploitable)\n | IDs: CVE:2012-1823\n | Description:\n | According to PHP's website, \"PHP is a widely-used general-purpose\n | scripting language that is especially suited for Web development and\n | can be embedded into HTML.\" When PHP is used in a CGI-based setup\n | (such as Apache's mod_cgid), the php-cgi receives a processed query\n | string parameter as command line arguments which allows command-line\n | switches, such as -s, -d or -c to be passed to the php-cgi binary,\n | which can be exploited to disclose source code and obtain arbitrary\n | code execution.\n | Disclosure date: 2012-05-03\n | Extra information:\n | Proof of Concept:/index.php?-s\n | References:\n | http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/\n | http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1823\n |_ http://ompldr.org/vZGxxaQ\n \n\n## Requires \n\n * http\n * shortport\n * stdnse\n * string\n * vulns\n\n* * *\n", "published": "2012-05-08T05:56:04", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://nmap.org/nsedoc/scripts/http-vuln-cve2012-1823.html", "cvelist": ["CVE-2012-1823"], "lastseen": "2017-04-24T16:56:38"}], "seebug": [{"id": "SSV-62285", "type": "seebug", "title": "php-cgi 5.3.12 cgi-main. c remote file include vulnerability", "description": "No description provided by source.", "published": "2012-06-06T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-62285", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-07-31T13:50:33"}, {"id": "SSV-82805", "type": "seebug", "title": "Apache / PHP 5. x - cgi-bin Remote Code Execution Exploit", "description": "Summary: \nPHP is a free open source WEB scripting language package, can be used in Microsoft Windows, Linux and Unix operating systems.< br/>PHP in the presence of information leakage vulnerabilities. A remote attacker can exploit the vulnerability in the server process context in the view file of the source code, obtain sensitive information, in on the affected computer to run arbitrary PHP code, may also perform other attacks.\n", "published": "2014-07-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-82805", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-07-28T14:36:16"}, {"id": "SSV-72859", "type": "seebug", "title": "PHP CGI Argument Injection", "description": "Summary: \nPHP is a free open source WEB scripting language package, can be used in Microsoft Windows, Linux and Unix operating systems.< br/>PHP in the presence of information leakage vulnerabilities. A remote attacker can exploit the vulnerability in the server process context in the view file of the source code, obtain sensitive information, in on the affected computer to run arbitrary PHP code, may also perform other attacks.\n", "published": "2014-07-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-72859", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-07-29T06:46:20"}, {"id": "SSV-72860", "type": "seebug", "title": "PHP CGI Argument Injection Exploit", "description": "Summary: \nPHP is a free open source WEB scripting language package, can be used in Microsoft Windows, Linux and Unix operating systems.< br/>PHP in the presence of information leakage vulnerabilities. A remote attacker can exploit the vulnerability in the server process context in the view file of the source code, obtain sensitive information, in on the affected computer to run arbitrary PHP code, may also perform other attacks.\n", "published": "2014-07-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-72860", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-07-29T07:07:17"}, {"id": "SSV-82829", "type": "seebug", "title": "Apache + PHP 5. x (< 5.3.12 & < 5.4.2) - Remote Code Execution", "description": "Summary: \nPHP is a free open source WEB scripting language package, can be used in Microsoft Windows, Linux and Unix operating systems.< br/>PHP in the presence of information leakage vulnerabilities. A remote attacker can exploit the vulnerability in the server process context in the view file of the source code, obtain sensitive information, in on the affected computer to run arbitrary PHP code, may also perform other attacks.\n", "published": "2014-07-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-82829", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-07-29T00:52:12"}], "centos": [{"id": "CESA-2012:0547", "type": "centos", "title": "php53 security update", "description": "**CentOS Errata and Security Advisory** CESA-2012:0547\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2012-May/018617.html\n\n**Affected packages:**\nphp53\nphp53-bcmath\nphp53-cli\nphp53-common\nphp53-dba\nphp53-devel\nphp53-gd\nphp53-imap\nphp53-intl\nphp53-ldap\nphp53-mbstring\nphp53-mysql\nphp53-odbc\nphp53-pdo\nphp53-pgsql\nphp53-process\nphp53-pspell\nphp53-snmp\nphp53-soap\nphp53-xml\nphp53-xmlrpc\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2012-0547.html", "published": "2012-05-07T19:01:16", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2012-May/018617.html", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-12-05T19:59:40"}, {"id": "CESA-2012:0546", "type": "centos", "title": "php security update", "description": "**CentOS Errata and Security Advisory** CESA-2012:0546\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2012-May/018613.html\nhttp://lists.centos.org/pipermail/centos-announce/2012-May/018614.html\n\n**Affected packages:**\nphp\nphp-bcmath\nphp-cli\nphp-common\nphp-dba\nphp-devel\nphp-embedded\nphp-enchant\nphp-gd\nphp-imap\nphp-intl\nphp-ldap\nphp-mbstring\nphp-mysql\nphp-ncurses\nphp-odbc\nphp-pdo\nphp-pgsql\nphp-process\nphp-pspell\nphp-recode\nphp-snmp\nphp-soap\nphp-tidy\nphp-xml\nphp-xmlrpc\nphp-zts\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2012-0546.html", "published": "2012-05-07T17:09:19", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2012-May/018613.html", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-12-05T20:01:01"}, {"id": "CESA-2012:1045", "type": "centos", "title": "php security update", "description": "**CentOS Errata and Security Advisory** CESA-2012:1045\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2012-June/018702.html\n\n**Affected packages:**\nphp\nphp-bcmath\nphp-cli\nphp-common\nphp-dba\nphp-devel\nphp-gd\nphp-imap\nphp-ldap\nphp-mbstring\nphp-mysql\nphp-ncurses\nphp-odbc\nphp-pdo\nphp-pgsql\nphp-snmp\nphp-soap\nphp-xml\nphp-xmlrpc\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2012-1045.html", "published": "2012-06-27T16:21:47", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2012-June/018702.html", "cvelist": ["CVE-2012-2336", "CVE-2012-0789", "CVE-2012-1823", "CVE-2012-0057", "CVE-2012-1172", "CVE-2011-4153"], "lastseen": "2016-12-05T19:58:40"}, {"id": "CESA-2012:1047", "type": "centos", "title": "php53 security update", "description": "**CentOS Errata and Security Advisory** CESA-2012:1047\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2012-June/018703.html\n\n**Affected packages:**\nphp53\nphp53-bcmath\nphp53-cli\nphp53-common\nphp53-dba\nphp53-devel\nphp53-gd\nphp53-imap\nphp53-intl\nphp53-ldap\nphp53-mbstring\nphp53-mysql\nphp53-odbc\nphp53-pdo\nphp53-pgsql\nphp53-process\nphp53-pspell\nphp53-snmp\nphp53-soap\nphp53-xml\nphp53-xmlrpc\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2012-1047.html", "published": "2012-06-27T16:24:26", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2012-June/018703.html", "cvelist": ["CVE-2012-2336", "CVE-2012-2386", "CVE-2012-0789", "CVE-2012-1823", "CVE-2012-2143", "CVE-2012-0057", "CVE-2012-1172", "CVE-2010-2950", "CVE-2011-4153"], "lastseen": "2016-12-05T20:05:10"}, {"id": "CESA-2012:1046", "type": "centos", "title": "php security update", "description": "**CentOS Errata and Security Advisory** CESA-2012:1046\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2012-July/018730.html\n\n**Affected packages:**\nphp\nphp-bcmath\nphp-cli\nphp-common\nphp-dba\nphp-devel\nphp-embedded\nphp-enchant\nphp-gd\nphp-imap\nphp-intl\nphp-ldap\nphp-mbstring\nphp-mysql\nphp-odbc\nphp-pdo\nphp-pgsql\nphp-process\nphp-pspell\nphp-recode\nphp-snmp\nphp-soap\nphp-tidy\nphp-xml\nphp-xmlrpc\nphp-zts\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2012-1046.html", "published": "2012-07-10T13:36:22", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2012-July/018730.html", "cvelist": ["CVE-2012-2336", "CVE-2012-2386", "CVE-2012-0789", "CVE-2012-1823", "CVE-2012-2143", "CVE-2012-0781", "CVE-2012-0057", "CVE-2012-1172", "CVE-2010-2950", "CVE-2011-4153"], "lastseen": "2016-12-05T19:59:34"}], "thn": [{"id": "THN:F0587F0EFE1B937682CDBA5338BDE708", "type": "thn", "title": "Linux worm targeting Routers, Set-top boxes and Security Cameras with PHP-CGI Vulnerability", "description": "None\n", "published": "2013-11-30T09:08:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://thehackernews.com/2013/11/Linux-ELF-malware-php-cgi-vulnerability.html", "cvelist": ["CVE-2012-1823"], "lastseen": "2017-01-08T18:01:12"}, {"id": "THN:D19F749C01E3D51E6C22C7E18BB57759", "type": "thn", "title": "Linux Worm targets Internet-enabled Home appliances to Mine Cryptocurrencies", "description": "[](<http://4.bp.blogspot.com/-XAsXMXrVRn4/Uyqy3GL-9EI/AAAAAAAAatg/T1_l1UZYSNI/s1600/Linux-malware-Internet-of-Things-security-app.png>)\n\nCould a perfectly innocent looking device like router, TV set-top box or security cameras can mine Bitcoins? YES! Hackers will not going to spare the Smart Internet-enabled devices.\n\n \n\n\nA Linux worm named **_Linux.Darlloz_**, earlier used to target _Internet of Things (IoT)_ devices, i.e. Home Routers, Set-top boxes, Security Cameras, printers and Industrial control systems; now have been upgraded to mine Crypto Currencies like Bitcoin.\n\n \n\n\nSecurity Researcher at Antivirus firm [Symantec](<http://www.symantec.com/connect/blogs/iot-worm-used-mine-cryptocurrency>) spotted the Darlloz Linux worm back in November and they have spotted the latest variant of the worm in mid-January this year.\n\n \n\n\n_Linux.Darlloz_ worm exploits a PHP vulnerability (__[CVE-2012-1823](<http://thehackernews.com/2013/11/Linux-ELF-malware-php-cgi-vulnerability.html>)__) to propagate and is capable to infect devices those run Linux on Intel\u2019s x86 chip architecture and other embedded device architectures such as PPC, MIPS and MIPSEL.\n\n \n\n\nThe latest variant of _Linux.Darlloz_ equipped with an open source crypto currency mining tool called '_[cpuminer](<http://sourceforge.net/projects/cpuminer/>)_', could be used to mine Mincoins, Dogecoins or [Bitcoins](<http://thehackernews.com/search/label/Bitcoin>).\n\n \n\n\nSymantec Researchers scanned the entire address space of the Internet and found 31,716 devices infected with Darlloz. \"_By the end of February 2014, the attacker mined 42,438 Dogecoins (approximately US$46 at the time of writing) and 282 Mincoins (approximately US$150 at the time of writing). These amounts are relatively low for the average cybercrime activity so, we expect the attacker to continue to evolve their threat for increased monetization._\" Kaoru Hayashi, senior development manager and threat analyst with Symantec in Japan.\n\n \n\n\nMajor infected countries are China, the U.S., South Korea, Taiwan and India.\n\n[](<http://1.bp.blogspot.com/-EtVgrEz1c3o/UyqcCffn2-I/AAAAAAAAas8/tx2Irf9tGFA/s1600/Darlloz-hack-malware.png>)\n\nCrypto Currency typically requires more memory and a powerful CPUs, so the [malware](<http://thehackernews.com/search/label/Malware>) could be updated to target other IoT devices in the future, such as home automation devices and wearable technology. \n \nA Few weeks back, Cisco has announced a global and industry-wide initiative to bring the Security community and Researchers together to contribute in securing the Internet of Things (IoT) and launched a contest called the \"**[Internet of Things Grand Security Challenge](<http://thehackernews.com/2014/03/Internet-of-Things-Security-Apps.html>)**\", offering prizes of up to $300,000 for winners.\n\n \n\n\nUsers are advised to update firmware and apply security patches for all software installed on computers or Internet-enabled devices. Make sure, you are not using default username or password for all devices and block port 23 or 80 from outside if not required.\n", "published": "2014-03-19T22:26:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://thehackernews.com/2014/03/linux-worm-targets-internet-enabled.html", "cvelist": ["CVE-2012-1823"], "lastseen": "2017-01-08T18:01:06"}], "saint": [{"id": "SAINT:A44F3BA5218E70289A3DA48E0A2F5B88", "type": "saint", "title": "PHP CGI Query String Parameters Command Execution", "description": "Added: 05/15/2012 \nCVE: [CVE-2012-1823](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823>) \nBID: [53388](<http://www.securityfocus.com/bid/53388>) \nOSVDB: [81633](<http://www.osvdb.org/81633>) \n\n\n### Background\n\nPHP is a widely used general-purpose scripting language that is especially suited for Web development. \n\n### Problem\n\nWhen configured as a CGI script (aka php-cgi), PHP does not properly handle query string parameters which are passed directly to the php-cgi program. This can be exploited to execute arbitrary system commands or disclose the PHP source code. \n\n### Resolution\n\nUpgrade PHP to version 5.4.3 or 5.3.13 or higher. \n\n### References\n\n<http://secunia.com/advisories/49014> \n<http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823> \n\n\n### Limitations\n\nThis exploit has been tested against PHP 5.3.10 on Windows XP SP3 and PHP 5.4.0 on Ubuntu 11.10 Linux. \n\n### Platforms\n\nWindows \nLinux \nMac OS X \n \n\n", "published": "2012-05-15T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/php_cgi_arg_rce", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-10-03T15:01:58"}, {"id": "SAINT:4757B9E50DEDA6FBFE3C977620C279FB", "type": "saint", "title": "PHP CGI Query String Parameters Command Execution", "description": "Added: 05/15/2012 \nCVE: [CVE-2012-1823](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823>) \nBID: [53388](<http://www.securityfocus.com/bid/53388>) \nOSVDB: [81633](<http://www.osvdb.org/81633>) \n\n\n### Background\n\nPHP is a widely used general-purpose scripting language that is especially suited for Web development. \n\n### Problem\n\nWhen configured as a CGI script (aka php-cgi), PHP does not properly handle query string parameters which are passed directly to the php-cgi program. This can be exploited to execute arbitrary system commands or disclose the PHP source code. \n\n### Resolution\n\nUpgrade PHP to version 5.4.3 or 5.3.13 or higher. \n\n### References\n\n<http://secunia.com/advisories/49014> \n<http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823> \n\n\n### Limitations\n\nThis exploit has been tested against PHP 5.3.10 on Windows XP SP3 and PHP 5.4.0 on Ubuntu 11.10 Linux. \n\n### Platforms\n\nWindows \nLinux \nMac OS X \n \n\n", "published": "2012-05-15T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/php_cgi_arg_rce", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-12-14T16:58:04"}, {"id": "SAINT:383F4FB67DCF7CAE7E06F44A5B5DC13F", "type": "saint", "title": "PHP CGI Query String Parameters Command Execution", "description": "Added: 05/15/2012 \nCVE: [CVE-2012-1823](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823>) \nBID: [53388](<http://www.securityfocus.com/bid/53388>) \nOSVDB: [81633](<http://www.osvdb.org/81633>) \n\n\n### Background\n\nPHP is a widely used general-purpose scripting language that is especially suited for Web development. \n\n### Problem\n\nWhen configured as a CGI script (aka php-cgi), PHP does not properly handle query string parameters which are passed directly to the php-cgi program. This can be exploited to execute arbitrary system commands or disclose the PHP source code. \n\n### Resolution\n\nUpgrade PHP to version 5.4.3 or 5.3.13 or higher. \n\n### References\n\n<http://secunia.com/advisories/49014> \n<http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823> \n\n\n### Limitations\n\nThis exploit has been tested against PHP 5.3.10 on Windows XP SP3 and PHP 5.4.0 on Ubuntu 11.10 Linux. \n\n### Platforms\n\nWindows \nLinux \nMac OS X \n \n\n", "published": "2012-05-15T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/php_cgi_arg_rce", "cvelist": ["CVE-2012-1823"], "lastseen": "2017-01-10T14:03:44"}], "freebsd": [{"id": "60DE13D5-95F0-11E1-806A-001143CD36D8", "type": "freebsd", "title": "php -- vulnerability in certain CGI-based setups", "description": "\nphp development team reports:\n\nSecurity Enhancements and Fixes in PHP 5.3.12:\n\nInitial fix for cgi-bin ?-s cmdarg parse issue\n\t (CVE-2012-1823)\n\n\n", "published": "2012-05-03T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vuxml.freebsd.org/freebsd/60de13d5-95f0-11e1-806a-001143cd36d8.html", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-09-26T17:24:38"}, {"id": "59B68B1E-9C78-11E1-B5E0-000C299B62E1", "type": "freebsd", "title": "php -- multiple vulnerabilities", "description": "\nThe PHP Development Team reports:\n\nThe release of PHP 5.4.13 and 5.4.3 complete a fix for the\n\t vulnerability in CGI-based setups as originally described in\n\t CVE-2012-1823. (CVE-2012-2311)\nNote: mod_php and php-fpm are not vulnerable to this attack.\nPHP 5.4.3 fixes a buffer overflow vulnerability in the\n\t apache_request_headers() (CVE-2012-2329).\n\n", "published": "2012-05-08T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vuxml.freebsd.org/freebsd/59b68b1e-9c78-11e1-b5e0-000c299b62e1.html", "cvelist": ["CVE-2012-2311", "CVE-2012-1823", "CVE-2012-2329"], "lastseen": "2016-09-26T17:24:38"}], "symantec": [{"id": "SMNTC-53388", "type": "symantec", "title": "PHP 'php-cgi' Information Disclosure Vulnerability", "description": "### Description\n\nPHP is prone to an information-disclosure vulnerability. Exploiting this issue allows remote attackers to view the source code of files in the context of the server process. This may allow the attacker to obtain sensitive information and to run arbitrary PHP code on the affected computer; other attacks are also possible. \n\n### Technologies Affected\n\n * Apple Mac OS X 10.6.8\n * Apple Mac OS X 10.7\n * Apple Mac OS X 10.7.1\n * Apple Mac OS X 10.7.2\n * Apple Mac OS X 10.7.3\n * Apple Mac OS X 10.7.4\n * Apple Mac OS X 10.8\n * Apple Mac OS X 10.8.1\n * Apple Mac OS X Server 10.6.8\n * Apple Mac OS X Server 10.7\n * Apple Mac OS X Server 10.7.1\n * Apple Mac OS X Server 10.7.2\n * Apple Mac OS X Server 10.7.3\n * Apple Mac OS X Server 10.7.5\n * Avaya Aura Application Enablement Services 5.2\n * Avaya Aura Application Enablement Services 5.2.1\n * Avaya Aura Application Enablement Services 5.2.2\n * Avaya Aura Application Enablement Services 5.2.3\n * Avaya Aura Application Enablement Services 6.1\n * Avaya Aura Application Enablement Services 6.1.1\n * Avaya Aura Communication Manager 6.0\n * Avaya Aura Communication Manager 6.0.1\n * Avaya Aura Communication Manager Utility Services 6.0\n * Avaya Aura Communication Manager Utility Services 6.1\n * Avaya Aura Communication Manager Utility Services 6.2\n * Avaya Aura Messaging 6.0\n * Avaya Aura Messaging 6.0.1\n * Avaya Aura Messaging 6.1\n * Avaya Aura Session Manager 5.2\n * Avaya Aura Session Manager 5.2 SP1\n * Avaya Aura Session Manager 5.2 SP2\n * Avaya IP Office Application Server 6.0\n * Avaya IP Office Application Server 6.1\n * Avaya IP Office Application Server 7.0\n * Avaya IP Office Application Server 8.0\n * Avaya IP Office Application Server 8.1\n * Avaya Voice Portal 5.0\n * Avaya Voice Portal 5.0 SP1\n * Avaya Voice Portal 5.0 SP2\n * Avaya Voice Portal 5.1\n * Avaya Voice Portal 5.1 SP1\n * Avaya Voice Portal 5.1.1\n * Avaya Voice Portal 5.1.2\n * Debian Linux 6.0 amd64\n * Debian Linux 6.0 arm\n * Debian Linux 6.0 ia-32\n * Debian Linux 6.0 ia-64\n * Debian Linux 6.0 mips\n * Debian Linux 6.0 powerpc\n * Debian Linux 6.0 s/390\n * Debian Linux 6.0 sparc\n * Fedoraproject Fedora 15\n * Fedoraproject Fedora 16\n * Fedoraproject Fedora 17\n * Gentoo Linux\n * HP HP-UX B.11.31\n * HP System Management Homepage 6.0\n * HP System Management Homepage 6.1\n * HP System Management Homepage 6.2\n * HP System Management Homepage 6.3\n * HP System Management Homepage 7.0\n * HP System Management Homepage 7.1\n * HP System Management Homepage 7.1.1\n * HP System Management Homepage 7.1.2\n * HP System Management Homepage 7.2.0\n * IBM Lotus Foundations Start 1.2\n * IBM Lotus Foundations Start 1.2.2A\n * Juniper CTPView 4.2\n * Juniper CTPView 4.3\n * Juniper CTPView 4.4\n * Juniper CTPView 4.5\n * Juniper CTPView 4.6\n * Mandriva Enterprise Server 5\n * Mandriva Enterprise Server 5 X86 64\n * Mandriva Linux Mandrake 2010.1\n * Mandriva Linux Mandrake 2010.1 X86 64\n * Mandriva Linux Mandrake 2011\n * Mandriva Linux Mandrake 2011 x86_64\n * Oracle Enterprise Linux 5\n * Oracle Enterprise Linux 6\n * Oracle Enterprise Linux 6.2\n * PHP PHP 5.3.1\n * PHP PHP 5.3.10\n * PHP PHP 5.3.12\n * PHP PHP 5.3.2\n * PHP PHP 5.3.3\n * PHP PHP 5.3.4\n * PHP PHP 5.3.5\n * PHP PHP 5.3.6\n * PHP PHP 5.3.7\n * PHP PHP 5.3.8\n * PHP PHP 5.3.9\n * PHP PHP 5.4.0\n * PHP PHP 5.4.1\n * PHP PHP 5.4.2\n * Parallels Parallels Plesk Panel 8.6\n * Parallels Parallels Plesk Panel 9.0\n * Parallels Parallels Plesk Panel 9.2\n * Parallels Parallels Plesk Panel 9.3\n * Parallels Parallels Plesk Panel 9.5.4\n * Redhat Enterprise Linux 5 Server\n * Redhat Enterprise Linux Desktop Optional 6\n * Redhat Enterprise Linux Desktop Workstation 5 Client\n * Redhat Enterprise Linux EUS 5.6.Z server\n * Redhat Enterprise Linux HPC Node 6\n * Redhat Enterprise Linux HPC Node Optional 6\n * Redhat Enterprise Linux Long Life 5.3 server\n * Redhat Enterprise Linux Server 6\n * Redhat Enterprise Linux Server EUS 6.0\n * Redhat Enterprise Linux Server EUS 6.1.z\n * Redhat Enterprise Linux Server Optional 6\n * Redhat Enterprise Linux Server Optional EUS 6.0\n * Redhat Enterprise Linux Server Optional EUS 6.1\n * Redhat Enterprise Linux Workstation 6\n * Redhat Enterprise Linux Workstation Optional 6\n * SuSE SUSE Linux Enterprise SDK 10 SP4\n * SuSE SUSE Linux Enterprise SDK 11 SP1\n * SuSE SUSE Linux Enterprise SDK 11 SP2\n * SuSE SUSE Linux Enterprise Server 10 SP3 LTSS\n * SuSE SUSE Linux Enterprise Server 10 SP4\n * SuSE SUSE Linux Enterprise Server 11 SP1\n * SuSE SUSE Linux Enterprise Server 11 SP2\n * SuSE SUSE Linux Enterprise Server for VMware 11 SP1\n * SuSE SUSE Linux Enterprise Server for VMware 11 SP2\n * SuSE openSUSE 11.4\n * SuSE openSUSE 12.1\n * Turbolinux 11 Server\n * Turbolinux 11 Server X64\n * Turbolinux Appliance Server 3.0\n * Turbolinux Appliance Server 3.0 X64\n * Turbolinux Client 2008\n * Ubuntu Ubuntu Linux 10.04 ARM\n * Ubuntu Ubuntu Linux 10.04 Amd64\n * Ubuntu Ubuntu Linux 10.04 I386\n * Ubuntu Ubuntu Linux 10.04 Powerpc\n * Ubuntu Ubuntu Linux 10.04 Sparc\n * Ubuntu Ubuntu Linux 11.04 ARM\n * Ubuntu Ubuntu Linux 11.04 amd64\n * Ubuntu Ubuntu Linux 11.04 i386\n * Ubuntu Ubuntu Linux 11.04 powerpc\n * Ubuntu Ubuntu Linux 11.10 amd64\n * Ubuntu Ubuntu Linux 11.10 i386\n * Ubuntu Ubuntu Linux 12.04 LTS amd64\n * Ubuntu Ubuntu Linux 12.04 LTS i386\n * Ubuntu Ubuntu Linux 8.04 LTS Amd64\n * Ubuntu Ubuntu Linux 8.04 LTS I386\n * Ubuntu Ubuntu Linux 8.04 LTS Lpia\n * Ubuntu Ubuntu Linux 8.04 LTS Powerpc\n * Ubuntu Ubuntu Linux 8.04 LTS Sparc\n\n### Recommendations\n\n#### Block external access at the network boundary, unless external parties require service.\n\nIf global access isn't needed, filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of successful exploits.\n\n#### Run all software as a nonprivileged user with minimal access rights.\n\nExecute all software as a user with minimal privileges. Use additional precautions such as restrictive environments to insulate software that may potentially handle malicious content. \n\nUpdates are available. Please see the references for more information. \n", "published": "2012-05-04T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.symantec.com/security_response/vulnerability.jsp?bid=53388", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-09-04T11:43:17"}], "canvas": [{"id": "PHP_CGI_REMOTE", "type": "canvas", "title": "Immunity Canvas: PHP_CGI_REMOTE", "description": "**Name**| php_cgi_remote \n---|--- \n**CVE**| CVE-2012-1823 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| php_cgi_remote \n**Notes**| CVE Name: CVE-2012-1823 \nVENDOR: www.php.net \nNotes: \nAlso see: \nhttp://www.kb.cert.org/vuls/id/520827 \n \n \n \nRepeatability: Infinite \nCVE URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1823 \nCVSS: 7.5 \n\n", "published": "2012-05-11T06:15:48", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/php_cgi_remote", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-09-25T14:14:16"}], "amazon": [{"id": "ALAS-2012-77", "type": "amazon", "title": "Critical: php", "description": "**Issue Overview:**\n\nA flaw was found in the way the php-cgi executable processed command line arguments when running in CGI mode. A remote attacker could send a specially-crafted request to a PHP script that would result in the query string being parsed by php-cgi as command line options and arguments. This could lead to the disclosure of the script's source code or arbitrary code execution with the privileges of the PHP interpreter. ([CVE-2012-1823 __](<https://access.redhat.com/security/cve/CVE-2012-1823>))\n\n \n**Affected Packages:** \n\n\nphp\n\n \n**Issue Correction:** \nRun _yum update php_ to update your system. \n\n \n**New Packages:**\n \n \n i686: \n php-dba-5.3.13-1.20.amzn1.i686 \n php-process-5.3.13-1.20.amzn1.i686 \n php-mysql-5.3.13-1.20.amzn1.i686 \n php-xml-5.3.13-1.20.amzn1.i686 \n php-pdo-5.3.13-1.20.amzn1.i686 \n php-snmp-5.3.13-1.20.amzn1.i686 \n php-mbstring-5.3.13-1.20.amzn1.i686 \n php-devel-5.3.13-1.20.amzn1.i686 \n php-xmlrpc-5.3.13-1.20.amzn1.i686 \n php-mssql-5.3.13-1.20.amzn1.i686 \n php-soap-5.3.13-1.20.amzn1.i686 \n php-odbc-5.3.13-1.20.amzn1.i686 \n php-bcmath-5.3.13-1.20.amzn1.i686 \n php-5.3.13-1.20.amzn1.i686 \n php-mcrypt-5.3.13-1.20.amzn1.i686 \n php-tidy-5.3.13-1.20.amzn1.i686 \n php-debuginfo-5.3.13-1.20.amzn1.i686 \n php-ldap-5.3.13-1.20.amzn1.i686 \n php-recode-5.3.13-1.20.amzn1.i686 \n php-fpm-5.3.13-1.20.amzn1.i686 \n php-common-5.3.13-1.20.amzn1.i686 \n php-imap-5.3.13-1.20.amzn1.i686 \n php-embedded-5.3.13-1.20.amzn1.i686 \n php-cli-5.3.13-1.20.amzn1.i686 \n php-pgsql-5.3.13-1.20.amzn1.i686 \n php-intl-5.3.13-1.20.amzn1.i686 \n php-mysqlnd-5.3.13-1.20.amzn1.i686 \n php-pspell-5.3.13-1.20.amzn1.i686 \n php-gd-5.3.13-1.20.amzn1.i686 \n \n src: \n php-5.3.13-1.20.amzn1.src \n \n x86_64: \n php-snmp-5.3.13-1.20.amzn1.x86_64 \n php-mcrypt-5.3.13-1.20.amzn1.x86_64 \n php-5.3.13-1.20.amzn1.x86_64 \n php-devel-5.3.13-1.20.amzn1.x86_64 \n php-dba-5.3.13-1.20.amzn1.x86_64 \n php-mssql-5.3.13-1.20.amzn1.x86_64 \n php-process-5.3.13-1.20.amzn1.x86_64 \n php-imap-5.3.13-1.20.amzn1.x86_64 \n php-pspell-5.3.13-1.20.amzn1.x86_64 \n php-bcmath-5.3.13-1.20.amzn1.x86_64 \n php-common-5.3.13-1.20.amzn1.x86_64 \n php-xml-5.3.13-1.20.amzn1.x86_64 \n php-odbc-5.3.13-1.20.amzn1.x86_64 \n php-debuginfo-5.3.13-1.20.amzn1.x86_64 \n php-xmlrpc-5.3.13-1.20.amzn1.x86_64 \n php-fpm-5.3.13-1.20.amzn1.x86_64 \n php-cli-5.3.13-1.20.amzn1.x86_64 \n php-pgsql-5.3.13-1.20.amzn1.x86_64 \n php-mbstring-5.3.13-1.20.amzn1.x86_64 \n php-ldap-5.3.13-1.20.amzn1.x86_64 \n php-recode-5.3.13-1.20.amzn1.x86_64 \n php-intl-5.3.13-1.20.amzn1.x86_64 \n php-soap-5.3.13-1.20.amzn1.x86_64 \n php-mysqlnd-5.3.13-1.20.amzn1.x86_64 \n php-tidy-5.3.13-1.20.amzn1.x86_64 \n php-mysql-5.3.13-1.20.amzn1.x86_64 \n php-pdo-5.3.13-1.20.amzn1.x86_64 \n php-embedded-5.3.13-1.20.amzn1.x86_64 \n php-gd-5.3.13-1.20.amzn1.x86_64 \n \n \n", "published": "2012-05-09T14:54:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://alas.aws.amazon.com/ALAS-2012-77.html", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-09-28T21:04:03"}], "oraclelinux": [{"id": "ELSA-2012-0547", "type": "oraclelinux", "title": "php53 security update", "description": "[5.3.3-7]\n- correct detection of = in CVE-2012-1823 fix (#818607)\n[5.3.3-6]\n- add security fix for CVE-2012-1823 (#818607)", "published": "2012-05-07T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://linux.oracle.com/errata/ELSA-2012-0547.html", "cvelist": ["CVE-2012-1823"], "lastseen": "2016-09-04T11:16:54"}, {"id": "ELSA-2012-1046", "type": "oraclelinux", "title": "php security update", "description": "[5.3.3-14]\n- add security fix for CVE-2010-2950\n[5.3.3-13]\n- fix tests for CVE-2012-2143, CVE-2012-0789\n[5.3.3-12]\n- add fix for CVE-2012-2336\n[5.3.3-11]\n- add security fixes for CVE-2012-0781, CVE-2011-4153, CVE-2012-0057,\n CVE-2012-0789, CVE-2012-1172, CVE-2012-2143, CVE-2012-2386\n[5.3.3-9]\n- correct detection of = in CVE-2012-1823 fix (#818607)\n[5.3.3-8]\n- add security fix for CVE-2012-1823 (#818607)\n[5.3.3-7]\n- add security fix for CVE-2012-0830 (#786744)\n[5.3.3-6]\n- merge Joe's changes:\n- improve CVE-2011-1466 fix to cover CAL_GREGORIAN, CAL_JEWISH\n- add security fixes for CVE-2011-2483, CVE-2011-0708, CVE-2011-1148,\n CVE-2011-1466, CVE-2011-1468, CVE-2011-1469, CVE-2011-1470,\n CVE-2011-1471, CVE-2011-1938, and CVE-2011-2202 (#740732)\n[5.3.3-5]\n- remove extra php.ini-prod/devel files caused by %patch -b\n[5.3.3-4]\n- add security fixes for CVE-2011-4885, CVE-2011-4566 (#769755)", "published": "2012-06-29T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://linux.oracle.com/errata/ELSA-2012-1046.html", "cvelist": ["CVE-2011-1471", "CVE-2012-2336", "CVE-2012-2386", "CVE-2011-1148", "CVE-2011-1466", "CVE-2012-0789", "CVE-2012-1823", "CVE-2011-1938", "CVE-2012-2143", "CVE-2011-4885", "CVE-2011-2483", "CVE-2012-0830", "CVE-2012-0781", "CVE-2011-0708", "CVE-2011-1468", "CVE-2012-0057", "CVE-2012-1172", "CVE-2011-1470", "CVE-2011-1469", "CVE-2011-4566", "CVE-2011-2202", "CVE-2010-2950", "CVE-2011-4153"], "lastseen": "2016-09-04T11:15:59"}], "suse": [{"id": "OPENSUSE-SU-2012:0590-1", "type": "suse", "title": "update for php5 (critical)", "description": "when used in CGI mode remote attackers could inject command\n line arguments to php\n\n", "published": "2012-05-07T16:08:55", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00002.html", "cvelist": ["CVE-2012-2311", "CVE-2012-1823"], "lastseen": "2016-09-04T11:39:50"}, {"id": "SUSE-SU-2012:0598-2", "type": "suse", "title": "Security update for PHP5 (critical)", "description": "This update fixes several security issues in PHP5:\n\n * CVE-2012-1172: A directory traversal bug has been\n fixed in PHP5.\n * CVE-2012-1823, CVE-2012-2311: A command injection was\n possible when PHP5 was operated in CGI mode using\n commandline options. This problem does not affect PHP5 in\n the normal apache module mode setup.\n * Also a pack/unpacking bug on big endian 64bit\n architectures (ppc64 and s390x) has been fixed. bnc#753778\n", "published": "2012-05-09T06:08:17", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00008.html", "cvelist": ["CVE-2012-2311", "CVE-2012-1823", "CVE-2012-1172"], "lastseen": "2016-09-04T11:38:36"}, {"id": "SUSE-SU-2012:0604-1", "type": "suse", "title": "Security update for PHP5 (critical)", "description": "This update fixes several security issues in PHP5:\n\n * CVE-2012-1172: A directory traversal bug has been\n fixed in PHP5\n * CVE-2012-1823, CVE-2012-2311: A command injection was\n possible when PHP5 was operated in CGI mode using\n commandline options. This problem does not affect PHP5 in\n the normal Apache module mode setup.\n", "published": "2012-05-09T22:08:16", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00011.html", "cvelist": ["CVE-2012-2311", "CVE-2012-1823", "CVE-2012-1172"], "lastseen": "2016-09-04T11:46:39"}, {"id": "SUSE-SU-2012:0598-1", "type": "suse", "title": "Security update for PHP5 (critical)", "description": "This update fixes several security issues in PHP5:\n\n * CVE-2012-1172: A directory traversal bug has been\n fixed in php5.\n * CVE-2012-1823, CVE-2012-2311: A command injection was\n possible when PHP5 was operated in CGI mode using\n commandline options. This problem does not affect PHP5 in\n the normal Apache module mode setup.\n * Also a pack/unpacking bug on big endian 64bit\n architectures (ppc64 and s390x) has been fixed. bnc#753778\n", "published": "2012-05-09T02:08:18", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00007.html", "cvelist": ["CVE-2012-2311", "CVE-2012-1823", "CVE-2012-1172"], "lastseen": "2016-09-04T11:51:43"}, {"id": "SUSE-SU-2013:1351-1", "type": "suse", "title": "Security update for PHP5 (important)", "description": "php5 has been updated to roll up all pending security fixes\n for Long Term Service Pack Support.\n\n The Following security issues have been fixed:\n\n *\n\n CVE-2013-4635: Integer overflow in the SdnToJewish\n function in jewish.c in the Calendar component in PHP\n allowed context-dependent attackers to cause a denial of\n service (application hang) via a large argument to the\n jdtojewish function.\n\n *\n\n CVE-2013-1635: ext/soap/soap.c in PHP did not\n validate the relationship between the soap.wsdl_cache_dir\n directive and the open_basedir directive, which allowed\n remote attackers to bypass intended access restrictions by\n triggering the creation of cached SOAP WSDL files in an\n arbitrary directory.\n\n *\n\n CVE-2013-1643: The SOAP parser in PHP allowed remote\n attackers to read arbitrary files via a SOAP WSDL file\n containing an XML external entity declaration in\n conjunction with an entity reference, related to an XML\n External Entity (XXE) issue in the soap_xmlParseFile and\n soap_xmlParseMemory functions.\n\n *\n\n CVE-2013-4113: ext/xml/xml.c in PHP before 5.3.27\n does not properly consider parsing depth, which allowed\n remote attackers to cause a denial of service (heap memory\n corruption) or possibly have unspecified other impact via a\n crafted document that is processed by the\n xml_parse_into_struct function.\n\n *\n\n CVE-2011-1398 / CVE-2012-4388: The sapi_header_op\n function in main/SAPI.c in PHP did not check for %0D\n sequences (aka carriage return characters), which allowed\n remote attackers to bypass an HTTP response-splitting\n protection mechanism via a crafted URL, related to improper\n interaction between the PHP header function and certain\n browsers, as demonstrated by Internet Explorer and Google\n Chrome.\n\n *\n\n CVE-2012-2688: An unspecified vulnerability in the\n _php_stream_scandir function in the stream implementation\n in PHP had unknown impact and remote attack vectors,\n related to an "overflow."\n\n *\n\n CVE-2012-3365: The SQLite functionality in PHP before\n 5.3.15 allowed remote attackers to bypass the open_basedir\n protection mechanism via unspecified vectors.\n\n *\n\n CVE-2012-1823: sapi/cgi/cgi_main.c in PHP, when\n configured as a CGI script (aka php-cgi), did not properly\n handle query strings that lack an = (equals sign)\n character, which allowed remote attackers to execute\n arbitrary code by placing command-line options in the query\n string, related to lack of skipping a certain php_getopt\n for the 'd' case.\n\n *\n\n CVE-2012-2335: php-wrapper.fcgi did not properly\n handle command-line arguments, which allowed remote\n attackers to bypass a protection mechanism in PHP and\n execute arbitrary code by leveraging improper interaction\n between the PHP sapi/cgi/cgi_main.c component and a query\n string beginning with a +- sequence.\n\n *\n\n CVE-2012-2336: sapi/cgi/cgi_main.c in PHP, when\n configured as a CGI script (aka php-cgi), did not properly\n handle query strings that lack an = (equals sign)\n character, which allowed remote attackers to cause a denial\n of service (resource consumption) by placing command-line\n options in the query string, related to lack of skipping a\n certain php_getopt for the 'T' case. NOTE: this\n vulnerability exists because of an incomplete fix for\n CVE-2012-1823.\n\n *\n\n CVE-2012-2311: sapi/cgi/cgi_main.c in PHP, when\n configured as a CGI script (aka php-cgi), does not properly\n handle query strings that contain a %3D sequence but no =\n (equals sign) character, which allows remote attackers to\n execute arbitrary code by placing command-line options in\n the query string, related to lack of skipping a certain\n php_getopt for the 'd' case. NOTE: this vulnerability\n exists because of an incomplete fix for CVE-2012-1823.\n\n *\n\n CVE-2012-1172: The file-upload implementation in\n rfc1867.c in PHP did not properly handle invalid [ (open\n square bracket) characters in name values, which makes it\n easier for remote attackers to cause a denial of service\n (malformed $_FILES indexes) or conduct directory traversal\n attacks during multi-file uploads by leveraging a script\n that lacks its own filename restrictions.\n\n *\n\n CVE-2012-0830: The php_register_variable_ex function\n in php_variables.c in PHP allowed remote attackers to\n execute arbitrary code via a request containing a large\n number of variables, related to improper handling of array\n variables. NOTE: this vulnerability exists because of an\n incorrect fix for CVE-2011-4885.\n\n *\n\n CVE-2012-0807: Stack-based buffer overflow in the\n suhosin_encrypt_single_cookie function in the transparent\n cookie-encryption feature in the Suhosin extension before\n 0.9.33 for PHP, when suhosin.cookie.encrypt and\n suhosin.multiheader are enabled, might have allowed remote\n attackers to execute arbitrary code via a long string that\n is used in a Set-Cookie HTTP header.\n\n *\n\n CVE-2012-0057: PHP had improper libxslt security\n settings, which allowed remote attackers to create\n arbitrary files via a crafted XSLT stylesheet that uses the\n libxslt output extension.\n\n *\n\n CVE-2012-0831: PHP did not properly perform a\n temporary change to the magic_quotes_gpc directive during\n the importing of environment variables, which made it\n easier for remote attackers to conduct SQL injection\n attacks via a crafted request, related to\n main/php_variables.c, sapi/cgi/cgi_main.c, and\n sapi/fpm/fpm/fpm_main.c.\n\n *\n\n CVE-2011-4153: PHP did not always check the return\n value of the zend_strndup function, which might have\n allowed remote attackers to cause a denial of service (NULL\n pointer dereference and application crash) via crafted\n input to an application that performs strndup operations on\n untrusted string data, as demonstrated by the define\n function in zend_builtin_functions.c, and unspecified\n functions in ext/soap/php_sdl.c, ext/standard/syslog.c,\n ext/standard/browscap.c, ext/oci8/oci8.c,\n ext/com_dotnet/com_typeinfo.c, and\n main/php_open_temporary_file.c.\n\n *\n\n CVE-2012-0781: The tidy_diagnose function in PHP\n might have allowed remote attackers to cause a denial of\n service (NULL pointer dereference and application crash)\n via crafted input to an application that attempts to\n perform Tidy::diagnose operations on invalid objects, a\n different vulnerability than CVE-2011-4153.\n\n *\n\n CVE-2012-0788: The PDORow implementation in PHP did\n not properly interact with the session feature, which\n allowed remote attackers to cause a denial of service\n (application crash) via a crafted application that uses a\n PDO driver for a fetch and then calls the session_start\n function, as demonstrated by a crash of the Apache HTTP\n Server.\n\n *\n\n CVE-2012-0789: Memory leak in the timezone\n functionality in PHP allowed remote attackers to cause a\n denial of service (memory consumption) by triggering many\n strtotime function calls, which were not properly handled\n by the php_date_parse_tzfile cache.\n\n *\n\n CVE-2011-4885: PHP computed hash values for form\n parameters without restricting the ability to trigger hash\n collisions predictably, which allowed remote attackers to\n cause a denial of service (CPU consumption) by sending many\n crafted parameters. We added a max_input_vars directive to\n prevent attacks based on hash collisions.\n\n *\n\n CVE-2011-4566: Integer overflow in the\n exif_process_IFD_TAG function in exif.c in the exif\n extension in PHP allowed remote attackers to read the\n contents of arbitrary memory locations or cause a denial of\n service via a crafted offset_val value in an EXIF header in\n a JPEG file, a different vulnerability than CVE-2011-0708.\n\n *\n\n CVE-2011-3182: PHP did not properly check the return\n values of the malloc, calloc, and realloc library\n functions, which allowed context-dependent attackers to\n cause a denial of service (NULL pointer dereference and\n application crash) or trigger a buffer overflow by\n leveraging the ability to provide an arbitrary value for a\n function argument, related to (1) ext/curl/interface.c, (2)\n ext/date/lib/parse_date.c, (3)\n ext/date/lib/parse_iso_intervals.c, (4)\n ext/date/lib/parse_tz.c, (5) ext/date/lib/timelib.c, (6)\n ext/pdo_odbc/pdo_odbc.c, (7)\n ext/reflection/php_reflection.c, (8) ext/soap/php_sdl.c,\n (9) ext/xmlrpc/libxmlrpc/base64.c, (10) TSRM/tsrm_win32.c,\n and (11) the strtotime function.\n\n *\n\n CVE-2011-1466: Integer overflow in the SdnToJulian\n function in the Calendar extension in PHP allowed\n context-dependent attackers to cause a denial of service\n (application crash) via a large integer in the first\n argument to the cal_from_jd function.\n\n *\n\n CVE-2011-1072: The installer in PEAR allowed local\n users to overwrite arbitrary files via a symlink attack on\n the package.xml file, related to the (1) download_dir, (2)\n cache_dir, (3) tmp_dir, and (4) pear-build-download\n directories, a different vulnerability than CVE-2007-2519.\n\n *\n\n CVE-2011-2202: The rfc1867_post_handler function in\n main/rfc1867.c in PHP did not properly restrict filenames\n in multipart/form-data POST requests, which allowed remote\n attackers to conduct absolute path traversal attacks, and\n possibly create or overwrite arbitrary files, via a crafted\n upload request, related to a "file path injection\n vulnerability."\n\n Bugfixes:\n\n * fixed php bug #43200 (Interface implementation /\n inheritence not possible in abstract classes) [bnc#783239]\n * use FilesMatch with 'SetHandler' rather than\n 'AddHandler' [bnc#775852]\n * fixed unpredictable unpack()/pack() behaviour\n [bnc#753778]\n * memory corruption in parse_ini_string() [bnc#742806]\n * amend README.SUSE to discourage using apache module\n with apache2-worker [bnc#728671]\n * allow uploading files bigger than 2GB for 64bit\n systems [bnc#709549]\n", "published": "2013-08-16T21:04:11", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00016.html", "cvelist": ["CVE-2012-2311", "CVE-2013-4113", "CVE-2012-2336", "CVE-2011-1466", "CVE-2012-0789", "CVE-2013-1643", "CVE-2012-2335", "CVE-2012-1823", "CVE-2011-4885", "CVE-2012-2688", "CVE-2011-1398", "CVE-2012-0788", "CVE-2012-0830", "CVE-2012-0781", "CVE-2011-0708", "CVE-2013-4635", "CVE-2011-4388", "CVE-2011-3182", "CVE-2012-4388", "CVE-2012-0057", "CVE-2012-1172", "CVE-2011-4566", "CVE-2007-2519", "CVE-2013-1635", "CVE-2011-2202", "CVE-2012-0831", "CVE-2011-1072", "CVE-2011-4153", "CVE-2012-0807", "CVE-2012-3365"], "lastseen": "2016-09-04T11:52:15"}], "ubuntu": [{"id": "USN-1437-1", "type": "ubuntu", "title": "PHP vulnerability", "description": "It was discovered that PHP, when used as a stand alone CGI processor \nfor the Apache Web Server, did not properly parse and filter query \nstrings. This could allow a remote attacker to execute arbitrary code \nrunning with the privilege of the web server. Configurations using \nmod_php5 and FastCGI were not vulnerable.\n\nThis update addresses the issue when the PHP CGI interpreter \nis configured using mod_cgi and mod_actions as described in \n/usr/share/doc/php5-cgi/README.Debian.gz; however, if an alternate \nconfiguration is used to enable PHP CGI processing, it should be \nreviewed to ensure that command line arguments cannot be passed to \nthe PHP interpreter. Please see [CVE-2012-2311](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2012-2311>) for more details and \npotential mitigation approaches.", "published": "2012-05-04T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.ubuntu.com/usn/usn-1437-1", "cvelist": ["CVE-2012-2311", "CVE-2012-1823"], "lastseen": "2017-05-01T08:28:42"}], "exploitdb": [{"id": "EDB-ID:18834", "type": "exploitdb", "title": "PHP CGI Argument Injection", "description": "PHP CGI Argument Injection. CVE-2012-1823,CVE-2012-2311,CVE-2012-2336. Remote exploit for php platform", "published": "2012-05-04T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/18834/", "cvelist": ["CVE-2012-2311", "CVE-2012-2336", "CVE-2012-1823"], "lastseen": "2016-02-02T10:32:12"}, {"id": "EDB-ID:29290", "type": "exploitdb", "title": "Apache / PHP 5.x - cgi-bin Remote Code Execution Exploit", "description": "Apache / PHP 5.x - cgi-bin Remote Code Execution Exploit. CVE-2012-1823,CVE-2012-2311,CVE-2012-2336. Remote exploit for linux platform", "published": "2013-10-29T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/29290/", "cvelist": ["CVE-2012-2311", "CVE-2012-2336", "CVE-2012-1823"], "lastseen": "2016-02-03T09:58:57"}, {"id": "EDB-ID:29316", "type": "exploitdb", "title": "Apache + PHP 5.x - Remote Code Execution Multithreaded Scanner 2", "description": "Apache + PHP 5.x - Remote Code Execution (Multithreaded Scanner) (2). CVE-2012-1823,CVE-2012-2311,CVE-2012-2336. Remote exploit for php platform", "published": "2013-10-31T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/29316/", "cvelist": ["CVE-2012-2311", "CVE-2012-2336", "CVE-2012-1823"], "lastseen": "2016-02-03T10:02:19"}, {"id": "EDB-ID:18836", "type": "exploitdb", "title": "PHP CGI Argument Injection Exploit", "description": "PHP CGI Argument Injection Exploit. CVE-2012-1823,CVE-2012-2311,CVE-2012-2336. Remote exploit for php platform", "published": "2012-05-05T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/18836/", "cvelist": ["CVE-2012-2311", "CVE-2012-2336", "CVE-2012-1823"], "lastseen": "2016-02-02T10:32:19"}], "debian": [{"id": "DSA-2465", "type": "debian", "title": "php5 -- several vulnerabilities", "description": "De Eindbazen discovered that PHP, when run with mod_cgi, will interpret a query string as command line parameters, allowing to execute arbitrary code.\n\nAdditionally, this update fixes insufficient validation of upload name which lead to corrupted $_FILES indices.\n\nFor the stable distribution (squeeze), this problem has been fixed in version 5.3.3-7+squeeze9.\n\nThe testing distribution (wheezy) will be fixed soon.\n\nFor the unstable distribution (sid), this problem has been fixed in version 5.4.3-1.\n\nWe recommend that you upgrade your php5 packages.", "published": "2012-05-09T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.debian.org/security/dsa-2465", "cvelist": ["CVE-2012-2311", "CVE-2012-1823", "CVE-2012-1172"], "lastseen": "2016-09-02T18:35:24"}], "gentoo": [{"id": "GLSA-201209-03", "type": "gentoo", "title": "PHP: Multiple vulnerabilities", "description": "### Background\n\nPHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. \n\n### Description\n\nMultiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could execute arbitrary code with the privileges of the process, cause a Denial of Service condition, obtain sensitive information, create arbitrary files, conduct directory traversal attacks, bypass protection mechanisms, or perform further attacks with unspecified impact. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll PHP users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-lang/php-5.3.15\"\n \n\nAll PHP users on ARM should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-lang/php-5.4.5\"", "published": "2012-09-24T00:00:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://security.gentoo.org/glsa/201209-03", "cvelist": ["CVE-2012-2311", "CVE-2012-2336", "CVE-2012-2386", "CVE-2012-3450", "CVE-2012-0789", "CVE-2012-2335", "CVE-2012-1823", "CVE-2012-2143", "CVE-2011-4885", "CVE-2012-2688", "CVE-2011-1398", "CVE-2012-0788", "CVE-2012-0830", "CVE-2012-0057", "CVE-2012-1172", "CVE-2011-4566", "CVE-2011-3379", "CVE-2012-0831", "CVE-2012-3365"], "lastseen": "2016-09-06T19:46:08"}], "f5": [{"id": "F5:K13518", "type": "f5", "title": "Multiple PHP vulnerabilities", "description": "\nF5 Product Development has evaluated the currently-supported releases for potential vulnerability, and has determined that none of the products listed below are affected.\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Vulnerable component or feature \n---|---|---|--- \nBIG-IP LTM| None| 10.x \n11.x| None \nBIG-IP GTM| None| 10.x \n11.x| None \nBIG-IP ASM| None| 10.x \n11.x| None \nBIG-IP Link Controller| None| 10.x \n11.x| None \nBIG-IP WebAccelerator| None| 10.x \n11.x| None \nBIG-IP PSM| None| 10.x \n11.x| None \nBIG-IP WOM| None| 10.x \n11.x| None \nBIG-IP APM| None| 10.x \n11.x| None \nBIG-IP Edge Gateway| None| 10.x \n11.x| None \nBIG-IP Analytics| None| 11.x| None \nBIG-IP AFM| None| 11.x| None \nBIG-IP PEM| None| 11.x| None \nBIG-IP AAM| None| 11.x| None \nFirePass| None| 6.x \n7.x| None \nEnterprise Manager| None| 1.x \n2.x \n3.x| None \nARX| None| 5.x \n6.x| None\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents.](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n", "published": "2012-04-05T02:07:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://support.f5.com/csp/article/K13518", "cvelist": ["CVE-2011-0421", "CVE-2011-0752", "CVE-2011-1467", "CVE-2011-1153", "CVE-2012-2311", "CVE-2012-2376", "CVE-2011-1466", "CVE-2012-0789", "CVE-2012-1823", "CVE-2011-1092", "CVE-2010-4698", "CVE-2011-2483", "CVE-2012-0788", "CVE-2010-4645", "CVE-2007-4658", "CVE-2011-0708", "CVE-2011-1468", "CVE-2012-0057", "CVE-2010-3709", "CVE-2011-1469", "CVE-2010-4150", "CVE-2011-1464", "CVE-2011-0755", "CVE-2010-4699", "CVE-2012-0831"], "lastseen": "2017-06-08T00:16:38"}, {"id": "SOL13518", "type": "f5", "title": "SOL13518 - Multiple PHP vulnerabilities", "description": "Vulnerability Recommended Actions\n\nNone\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents.\n * SOL4602: Overview of the F5 security vulnerability response policy\n", "published": "2012-04-04T00:00:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://support.f5.com/kb/en-us/solutions/public/13000/500/sol13518.html", "cvelist": ["CVE-2011-0421", "CVE-2011-0752", "CVE-2011-1467", "CVE-2011-1153", "CVE-2012-2311", "CVE-2012-2376", "CVE-2011-1466", "CVE-2012-0789", "CVE-2012-1823", "CVE-2011-1092", "CVE-2010-4698", "CVE-2011-2483", "CVE-2012-0788", "CVE-2010-4645", "CVE-2007-4658", "CVE-2011-0708", "CVE-2011-1468", "CVE-2012-0057", "CVE-2010-3709", "CVE-2011-1469", "CVE-2010-4150", "CVE-2011-1464", "CVE-2011-0755", "CVE-2010-4699", "CVE-2012-0831"], "lastseen": "2016-09-26T17:23:05"}]}}