{"vuid":"VU#520827","idnumber":"520827","name":"PHP-CGI query string parameter vulnerability","keywords":["php","php-cgi"],"overview":"PHP-CGI-based setups contain a vulnerability when parsing query string parameters from php files.","clean_desc":"According to PHP's website, \"PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML.\" When PHP is used in a CGI-based setup (such as Apache's mod_cgid), the php-cgi receives a processed query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to disclose source code and obtain arbitrary code execution. An example of the -s command, allowing an attacker to view the source code of index.php is below: http://localhost/index.php?-s Additional information can be found in the vulnerability reporter's blog post.","impact":"A remote unauthenticated attacker could obtain sensitive information, cause a denial of service condition or may be able to execute arbitrary code with the privileges of the web server.","resolution":"Apply update PHP has released version 5.4.3 and 5.3.13 to address this vulnerability. PHP is recommending that users upgrade to the latest version of PHP. PHP has stated, PHP 5.3.12/5.4.2 do not fix all variations of the CGI issues described in CVE-2012-1823. It has also come to our attention that some sites use an insecure cgiwrapper script to run PHP. These scripts will use $* instead of \"$@\" to pass parameters to php-cgi which causes a number of issues.","workarounds":"Apply mod_rewrite rule PHP has stated an alternative is to configure your web server to not let these types of requests with query strings starting with a \"-\" and not containing a \"=\" through. Adding a rule like this should not break any sites. For Apache using mod_rewrite it would look like this: RewriteCond %{QUERY_STRING} ^[^=]*$\n    RewriteCond %{QUERY_STRING} %2d|\\- [NC]\n    RewriteRule .? - [F,L]","sysaffected":"According to PHP's website Apache+mod_php and nginx+php-fpm","thanks":"Thanks to De Eindbazen for reporting this vulnerability.","author":"This document was written by Michael Orlando.","public":["http://www.php.net/","http://www.php.net/manual/en/security.cgi-bin.php","http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/","http://www.php.net/archive/2012.php#id2012-05-03-1","http://www.php.net/archive/2012.php#id2012-05-08-1","http://www.symantec.com/connect/blogs/linux-worm-targeting-hidden-devices"],"cveids":["CVE-2012-1823","CVE-2012-2311"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2012-02-20T15:46:33Z","publicdate":"2012-05-03T00:00:00Z","datefirstpublished":"2012-05-03T11:35:49Z","dateupdated":"2013-12-02T04:26:01Z","revision":50,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"L","cvss_authentication":null,"cvss_confidentialityimpact":"C","cvss_integrityimpact":"P","cvss_availabilityimpact":"P","cvss_exploitablity":null,"cvss_remediationlevel":"U","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"L","cvss_targetdistribution":"H","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"9","cvss_basevector":"AV:N/AC:L/Au:N/C:C/I:P/A:P","cvss_temporalscore":"8.5","cvss_environmentalscore":"8.670285804853","cvss_environmentalvector":"CDP:L/TD:H/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}