“php+cgi security vulnerability” – Forum Thread – Discuss

php+cgi security vulnerability

This is an open discussion with 2 replies, filed under General.

Search

You are looking at page 1 of 1

- fawx
- 04 May 12, 6:56 am
- Comment #1

gentlemen,

a heads up if your web setup uses mod_cgi instead of mod_php:

There is a vulnerability in certain CGI-based setups that has gone unnoticed for at least 8 years. Section 7 of the CGI spec states:

Some systems support a method for supplying a [sic] array of strings to the CGI script. This is only used in the case of an `indexed' query. This is identified by a "GET" or "HEAD" HTTP request with a URL search string not containing any unencoded "=" characters.

So requests that do not have a "=" in the query string are treated differently from those who do in some CGI implementations. For PHP this means that a request containing ?-s may dump the PHP source code for the page, but a request that has ?-s&=1 is fine.

A large number of sites run PHP as either an Apache module through mod_php or using php-fpm under nginx. Neither of these setups are vulnerable to this. Straight shebang-style CGI also does not appear to be vulnerable.

If you are using Apache mod_cgi to run PHP you may be vulnerable. To see if you are just add ?-s to the end of any of your URLs. If you see your source code, you are vulnerable. If your site renders normally, you are not.

To fix this update to PHP 5.3.12 or PHP 5.4.2.

We recognize that since CGI is a rather outdated way to run PHP it may not be feasible to upgrade these sites to a modern version of PHP, so an alternative is to configure your web server to not let these types of requests with query strings starting with a "-" and not containing a "=" through. Adding a rule like this should not break any sites. For Apache using mod_rewrite it would look like this:
   RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
   RewriteRule ^(.*) $1? [L]
If you are writing your own rule, be sure to take the urlencoded ?%2ds version into account.

from what i understand, some shared hosts use cgi to allow for php to run as the user so please test your setup and alert your web host if you are vulnerable.

source: php news archive

- creativedutchmen
- 04 May 12, 6:47 pm
- Comment #2

Wow. That is some powerful shit. Luckily mod_cgi is not very widely used anymore, otherwise this would be very painful.

- DavidOliver
- 05 May 12, 12:09 am
- Comment #3

I found out about this via an email from the Hiawatha webserver mailing list, which @bzerangue put me onto. Apparently even if you were to use PHP CGI, you're not vulnerable with Hiawatha.

Create an account or sign in to comment.

Symphony.