October 1, 2016

Eight Year Old PHP / Apache mod_cgi Vulnerability Disclosed

(LiveHacking.Com) – Due to a bug in PHP’s bug tracking system, a privately disclosed security vulnerability in the way PHP handles query string parameters when it is running in CGI mode, was marked as public. As a result the PHP project has released PHP 5.3.12 and PHP 5.4.2 to fix the problem, however there are reports that these releases are buggy and don’t fully resolve the problem.

The initial details of the generic PHP-CGI remote code execution bug were posted on the eindbazen.net website. They discovered that the query string ‘?-s’ results in the “-s” command line argument being passed to PHP, resulting in source code disclosure. Further investigation showed that the command-line switches -s, -d or -c are passed to the php-cgi binary, which can also be exploited to obtain arbitrary code execution.

To test if your site is vulnerable try the following:


According to the release information: “A large number of sites run PHP as either an Apache module through mod_php or using php-fpm under nginx. Neither of these setups are vulnerable to this. Straight shebang-style CGI also does not appear to be vulnerable. If you are using Apache mod_cgi to run PHP you may be vulnerable.”

The official fix in PHP 5.3.12 and PHP 5.4.2 contain a bug which makes the fix trivial to bypass, it is therefore recommended that system admins mitigate this problem by adding the following Apache mod_rewrite rule:

RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
RewriteRule ^(.*) $1? [L]

The bug was originally discovered in January and was used to pwn the Nullcon Hackim 2012 scoreboard. The PHP team were contacted but after a couple of weeks little seemed to be happening. US-CERT was contacted who acknowledged the receipt of vulnerability in February. By May US-CERT notified eindbazen.net that the PHP team was testing a patch. However on May 3rd the bug reported was mistakenly marked as public and picked up on reddit /r/netsec /r/opensource and /r/technology. US-CERT have now published a Vulnerability Note.

It is anticipated that a new PHP update, with a revised fix, will be released soon.