Serious Remote PHP Bug Accidentally Disclosed

Viewing 5 reply threads
  • Author
    • #7563

      [ VIA ]

      A serious remote-code execution vulnerability in PHP was accidentally disclosed Wednesday, leading to fears of an outbreak of attacks on sites that were built using vulnerable versions of PHP. The bug has been known privately since January when a team of researchers used it in a capture the flag contest and then subsequently reported it to the PHP Group. The developers were still in the process of building the patch for the flaw when it was disclosed Wednesday.

      The vulnerability is a simple one but it has serious consequences. Essentially, the researchers found that when they passed a specific query string that contained the -s command to PHP in a CGI setup, PHP would interpret the -s as the command line argument and result in the disclosure of the source code for the application. They extended their testing and found they could pass whatever command-line arguments they wanted ot the PHP binary.

      “When PHP is used in a CGI-based setup (such as Apache’smod_cgid), the php-cgi receives a processed query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to disclose source code and obtain arbitrary code execution,” the US-CERT said in an advisory published Wednesday. “A remote unauthenticated attacker could obtain sensitive information, cause a denial of service condition or may be able to execute arbitrary code with the privileges of the web server.”

      The team that found the bug, known as Eindbazen, said that they had been waiting for several months for the PHP Group to release a patch for the vulnerability in order to publish information about the bug. However, someone accidentally marked an internal PHP bug as public and it eventually was posted to Reddit. So Eindbazen then published the details of their findings and how it can be exploited.

      “We’ve tested this and have confirmed that the query parameters are passed to the php5-cgi binary in this configuration. Since the wrapper script merely passes all the arguments on to the actual php-cgi binary, the same problem exists with configurations where php-cgi is directly copied into the cgi-bin directory. It’s interesting to note that while slashes get added to any shell metacharacters we pass in the query string, spaces and dashes (‘-’) are not escaped. So we can pass as many options to PHP as we want!” they wrote in their analysis of the PHP CVE-2012-1823 vulnerability.

      “There is one slight complication: php5-cgi behaves differently depending on which environment variables have been set, disabling the flag -r for direct code execution among others. However, this can be trivially bypassed. We’re removing the remote code execution PoC out of an abundance of caution, but at this point anyone should be able to figure this out. And for the record: safe_mode, allow_url_include and other security-related ini settings will not save you.”

      PHP is one of the more popular scripting languages used in Web development. Since the time that the Eindbazen team reported the bug to the PHP Group, there have been several new versions of the language released, with various other security fixes, but without a patch for the CVE-2012-1863 bug. Right now, there is no patch available for the flaw discovered by the Eindbazen team, however they list a couple of technical workarounds in their post and have produced a file that includes both of them that users can download.

    • #47240

      Note, you can read more about the vulnerability in detail here:

      In essence it seems like the vulnerability is more simple than one would initially anticipate. It’s so simple it’s almost not true, even though it is of course true.  ;D

    • #47241

      first of all, props to eindbazen, i know some of them personally and they are hardcore. The vulnerability is indeed quite simple, but do not forget that the situation has to be just right, you have to actually run PHP in CGI. But still, kudo’s to eindbazen for finding it and trying to disclose it responsibly (they discovered this vulnerability in januari and reported it several times), if they only checked the private box…

    • #47242

      Indeed it is simple and it’s also a very old / ancient vulnerability which seems to deem it a foreverday, as there is no working patch yet either. Some years ago, I stumpled across an interesting vulnerability on a particular webhost, which I couldn’t reproduce anywhere else.

      When I sent a request like this:

      The website would execute normally, but when I sent this:

      The source of that script would be revealed. I can’t remember if it was an ASP or PHP powered website, but it was an interesting vulnerability.

    • #47243

      And Facebook takes this with humor  8)

    • #47244

      Haha nice one MrTuxracer  ;D That’s actually brilliant of them to do so  🙂

Viewing 5 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.


Sign in with Caendra

Forgot password?Sign up

Forgot your details?