PHP-CGI remote code execution bug. Workaround coming?

Richard G

Verified User
Joined
Jul 6, 2008
Messages
12,560
Location
Maastricht
I've seen this today and seems very dangerous to me since a lot of systems still use php-cgi. The dangerous code is put public today, so all php-cgi servers are now vulnarable to this code execution.

http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/

Since php is installed via DA in custombuild, can custombuild provide a workaround for this? There is a workaround included on that page, I like the second way best.
The second way is a patch for PHP, which disables the parsing of arguments if
php-cgi is invoked as non-fastcgi cgi.

But this is in c so needs to be put in during compiling.
 
I don't think DA delivers installations with that kind of CGI setup, but correct me if I'm wrong.

I have 2 kinds of setups; one with php5_cli=yes and another with suphp - php5_cgi=yes. Both are not affected by this bug.

You can try it easily by putting ?-s behind the url, like site.tld/index.php?-s

It should then show the php source if you're vulnerable.

edit:
see http://help.directadmin.com/item.php?id=197 setting php5_cgi to yes will get you suphp. It is a bit confusing because theres also a seperate ./buid suphp but at the end I think they will both be executed internally.
 
Last edited:
php5_cgi=yes. Both are not affected by this bug.
Oh I thought only fastcgi php versions were not affected. PHP-CGI installations are vulnerable to remote code execution, it said.

Something is strange tho. I got 1 server which says in options.conf php5_cgi=yes, but when I do php -v it gives PHP 5.3.11 (cli) as answer, not (cgi). Is that normal?
 
Something is strange tho. I got 1 server which says in options.conf php5_cgi=yes, but when I do php -v it gives PHP 5.3.11 (cli) as answer, not (cgi). Is that normal?

Yes, with PHP-CGI you still have PHP-CLI, but not mod_php.
 
I tested with suPHP 0.7.1 + PHP 4.4.9 or PHP 5.2.17 or 5.3.11, apparently all 3 combinaions are not vulnarable.
 
The released patch/update does -not- work, at least not in a lot of case according to some security sites and the site I posted the link to in the beginning.
 
Back
Top