Results 1 to 11 of 11

Thread: PHP-CGI remote code execution bug. Workaround coming?

  1. #1
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    2,839

    Exclamation PHP-CGI remote code execution bug. Workaround coming?

    I've seen this today and seems very dangerous to me since a lot of systems still use php-cgi. The dangerous code is put public today, so all php-cgi servers are now vulnarable to this code execution.

    http://eindbazen.net/2012/05/php-cgi...cve-2012-1823/

    Since php is installed via DA in custombuild, can custombuild provide a workaround for this? There is a workaround included on that page, I like the second way best.
    The second way is a patch for PHP, which disables the parsing of arguments if
    php-cgi is invoked as non-fastcgi cgi.

    But this is in c so needs to be put in during compiling.
    Greetings, Richard.

  2. #2
    Join Date
    May 2008
    Location
    The Netherlands
    Posts
    1,158
    I don't think DA delivers installations with that kind of CGI setup, but correct me if I'm wrong.

    I have 2 kinds of setups; one with php5_cli=yes and another with suphp - php5_cgi=yes. Both are not affected by this bug.

    You can try it easily by putting ?-s behind the url, like site.tld/index.php?-s

    It should then show the php source if you're vulnerable.

    edit:
    see http://help.directadmin.com/item.php?id=197 setting php5_cgi to yes will get you suphp. It is a bit confusing because theres also a seperate ./buid suphp but at the end I think they will both be executed internally.
    Last edited by Arieh; 05-03-2012 at 10:24 AM.

  3. #3
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    2,839
    php5_cgi=yes. Both are not affected by this bug.
    Oh I thought only fastcgi php versions were not affected. PHP-CGI installations are vulnerable to remote code execution, it said.

    Something is strange tho. I got 1 server which says in options.conf php5_cgi=yes, but when I do php -v it gives PHP 5.3.11 (cli) as answer, not (cgi). Is that normal?
    Greetings, Richard.

  4. #4
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,023
    Something is strange tho. I got 1 server which says in options.conf php5_cgi=yes, but when I do php -v it gives PHP 5.3.11 (cli) as answer, not (cgi). Is that normal?
    Yes, with PHP-CGI you still have PHP-CLI, but not mod_php.
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  5. #5
    Join Date
    May 2008
    Location
    The Netherlands
    Posts
    1,158
    I think /usr/local/suphp/sbin/suphp is being used trough apache.

  6. #6
    Join Date
    Feb 2005
    Location
    Netherlands
    Posts
    59
    And there is a brand new patch....
    http://www.php.net/archive/2012.php#id2012-05-03-1

    Happy patching all....

  7. #7
    Join Date
    Oct 2003
    Location
    Switzerland
    Posts
    2,097
    New version of PHP have been released to fix this
    Olivier
    interfaCentre - We design custom hosting solutions

    Custom apps, scripts and configurations for easy and secure access to all hosting services
    Full Personal Information Management suite with mobile synchronisation
    PHP, Ruby, Node.js and Python hosting with 1-click app install

  8. #8
    Join Date
    Feb 2005
    Location
    Hong Kong
    Posts
    127
    I tested with suPHP 0.7.1 + PHP 4.4.9 or PHP 5.2.17 or 5.3.11, apparently all 3 combinaions are not vulnarable.

  9. #9
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    2,839
    The released patch/update does -not- work, at least not in a lot of case according to some security sites and the site I posted the link to in the beginning.
    Greetings, Richard.

  10. #10
    Join Date
    Apr 2009
    Posts
    1,958
    Also see Webhostingtalk thread on the subject: http://www.webhostingtalk.com/showthread.php?t=1151832

  11. #11
    Join Date
    Apr 2009
    Posts
    1,958
    The developer of suPHP confirm that it is not vulnerable: https://lists.marsching.com/pipermai...ay/002487.html
    suPHP should be safe, because, unlike the Apache CGI implementation, it
    will never pass any command-line arguments to the PHP interpreter.

Similar Threads

  1. [WORKAROUND] Successful 8.2-RELEASE installation
    By farmer in forum FreeBSD 8.x 64-bit
    Replies: 8
    Last Post: 09-19-2012, 10:12 PM
  2. CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
    By redesb in forum General Technical Discussion & Troubleshooting
    Replies: 1
    Last Post: 06-12-2009, 10:46 AM
  3. port 25 blocked workaround
    By fastsvc in forum CentOS
    Replies: 2
    Last Post: 04-22-2009, 07:06 AM
  4. Any Workaround for Installing in LAN?
    By playah12 in forum Installation / System Requirements
    Replies: 6
    Last Post: 02-09-2009, 11:27 AM
  5. Greylisting Code? Anti-Dictionary-Attack code?
    By nobaloney in forum SpamBlocker3
    Replies: 71
    Last Post: 05-04-2008, 01:24 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •