[2012-05-02 17:56 UTC] aaasd at asda dot com
Description:
------------
U#520827 - PHP-CGI query string parameter vulnerability
CVE: CVE-2012-1823
KEYWORDS:
php
php-cgi
OVERVIEW
PHP-CGI-based setups contain a vulnerability when parsing query
string parameters from php files.
DESCRIPTION
According to PHP's website, "PHP is a widely-used general-purpose
scripting language that is especially suited for Web development and
can be embedded into HTML." When PHP is used in a CGI-based setup
(such as Apache's mod_cgid), the php-cgi receives a processed query
string parameter as command line arguments which allows command-line
switches, such as -s, -d or -c to be passed to the php-cgi binary,
which can be exploited to disclose source code and obtain arbitrary
code execution.
An example of the -s command, allowing an attacker to view the source
code of index.php is below:
http://localhost/index.php?-s
IMPACT
A remote unauthenticated attacker could obtain sensitive information,
cause a denial of service condition or may be able to execute
arbitrary code with the privileges of the web server.
SOLUTION
We are currently unaware of a practical solution to this problem.
REFERENCES
http://www.php.net/
http://www.php.net/manual/en/security.cgi-bin.php
CREDIT
Thanks to De Eindbazen for reporting this vulnerability.
This document was written by Michael Orlando.
