PHP CGI arbitrary code execution vulnerability
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
php5 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
We have identified an arbitrary code execution vulnerability in PHP CGI. Please
refer to the advisory below, as reported to <email address hidden> on 2012-01-17.
As of the time of writing, no response has been received from the upstream vendor.
In addition to the upstream vendor, one additional party
(a hosting provider) has been notified of this vulnerability.
------ Original advisory ------
When PHP is used in a CGI-based setup (such as Apache's mod_cgid), the php-cgi
receives a processed query string parameter as command line arguments
(in case of GET or HEAD requests, and provided there are no unescaped
'=' characters in the query string). This is expected behavior for CGI scripts,
as defined in section 4.4 of RFC 3875 [1].
Even though many setups have abandoned 'traditional' CGI in favor of
FastCGI-based solutions (e.g. mod_fastcgi, mod_fcgid), which cannot pass on a
requests' query string as command line parameters, PHP should refuse to
process command line arguments when invoked as a CGI binary.
This used to be PHP's exact behavior and is still documented as such in [2],
but nonetheless a change to re-introduce parsing of a specific set of command
line args was introduced in 2004, preceded by a post on the php-devel
mailing list:
"The point of the question here is if anybody remembers why we decided not
to parse command line args for the cgi version?" [3]
Parsing command line args allows command-line switches, such as -s, -d or -c
to be passed to the php-cgi binary, which can be exploited to disclose source
code and obtain arbitrary code execution.
This can be trivially demonstrated by configuring Apache to run PHP
in CGI mode, for example using mod_cgi:
Options +ExecCGI
AddHandler php5-cgi .php
Action php5-cgi /cgi-bin/php5-cgi
Subsequently accessing http://
the source code of index.php
Another example, demonstrating remote code execution:
curl -s -H 'Output: <?php system("id");die(); ?>' \
'http://
| awk -F 'HTTP_OUTPUT=' '{ print $2 }'
Eindbazen
http://
[1] http://
[2] http://
[3] http://
CVE References
visibility: | private → public |
Thank you for using Ubuntu and reporting a bug. What was upstream's response?