-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0060 Title: PHP Remote-Code Execution Vulnerability in Certain CGI-based Setups [1,2] Version history: 04.05.2012 Initial publication Summary ======= There is a vulnerability in certain CGI-based setups that has gone unnoticed for at least 8 years (!) [1,2]. Some systems support a method for supplying an array of strings to the CGI script. This is only used in the case of an 'indexed' query. This is identified by a "GET" or "HEAD" HTTP request with a URL search string not containing any unencoded "=" characters. Requests that do not have a "=" in the query string are treated differently from those who do in some CGI implementations. For PHP this means that a request containing "?-s" may dump the PHP source code for the page, but a request that has "?-s&=1" is fine. There are already exploits available that can further escalate this to remote code execution [2]. PHP has released a new versions to patch this issue. However, the new PHP release (PHP 5.3.12 and PHP 5.4.2) is buggy. One can use the mitigation mod_rewrite rule provided by PHP, but the patch and new released versions do not entirely fix the problem [2]. Initially tracked as: CVE-2012-1823 Bug in the patch tracked as: CVE-2012-2311. CVSS2 Base: 9.0 (CRITICAL) AV:N/AC:L/Au:N/C:C/I:P/A:P [3] Affected Products and Versions ============================== If you are using Apache mod_cgi to run PHP you may be vulnerable. Potentially, to see if you may be vulnerable, just add "?-s" to the end of any of your URLs. If you see your source code, you are vulnerable. If your site renders normally, you are (probably) not [1]. If you run PHP as either an Apache module through mod_php or using php-fpm under nginx - you are not vulnerable. Neither of these setups are vulnerable to this. Straight shebang-style CGI also does not appear to be vulnerable either [1]. What can you do? ================ Patch to the newly released versions: PHP 5.3.12 and PHP 5.4.2 [1], but this does not currently solve the problem entirely [2]. An additional mitigation strategies are available in [2]. The site also provides a quick additional patch for the official versions released by PHP (5.3.12 and 5.4.2). An updated versions including this (or similar) patch should also be released by PHP shortly. What to tell your users? ======================== N/A More information ================ [1] http://www.php.net/archive/2012.php#id2012-05-03-1 [2] http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/ [3] Information about CVSS: http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 -----BEGIN PGP SIGNATURE----- Version: BCPG v1.39 iQJXBAEBAgBBBQJPo5qmOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4OtEQ/8CHD1piku lHP8vG8+Lq9MgDm+EqWUv4wtZq6FXZuuja+2QjRHNFu/adwyqw9lu2jWiA69MkQJ XAvJbBMgz/p1ANAEdeWJ5RhshmWRjBol/L3rQk3mdjkS9baO5fA9Ra6+e+EeFRby 0MQPHBPDFjZtIpIvRBcbUO2DqnZFfkElotC6Tkl0XbSV+OHf1utSHs2R53Ss2yrp 2tdr2CbJ4kKIsGhD0Jjd+UZSeSSojUldX+/VXDhJuWkci8Gxfh9hbS+4GiLzig/f KQueEM1YIk7j2KO7E/1smUlUrVI1sHzo0lJt6RVeesYPsZpmyE6TcAebpd+kbZ06 frb348amKN6Zzj3FjaCA3nEP0MbkA1V6ftI+A1+yS5NAIYlI8wv6azzeqQ78HTkt kpB2BTJJ6feEjSdd0sdZnLWKXi+DyEtyVdHDh8rwgcJHFCB+l0lay00aLzbojcpK D3IOsAKePZYos36DpaViqdgr9BNpKMQpe4Gi8Zrq9rATIPtU4AaPWMoW9Hz0IeF0 BS7kHPpvDXqo3UrJnJs1W67phWgIOcfEu3ylaKDFjkhC9xr4SklrbD0RUjkSXtwX Azlu7dQzKwojVfhz+64q+yECTUo2FyQ7FhuMb/M0DO1JtZOgGP3cYGEMCBjiNjzR bVUDXKz0SZfYsBU5GYXKEYVWh1iH0x03UE4= =S4Rn -----END PGP SIGNATURE-----