Un-Patched PHP-CGI remote code execution bug can expose Source Codes





A serious remote code execution vulnerability in PHP-CGI disclosed. PHP-CGI-based setups contain a vulnerability when parsing query string parameters from php files. The developers were still in the process of building the patch for the flaw when it was disclosed Wednesday, But the vulnerability can only be exploited if the HTTP server follows a fairly obscure part of the CGI spec.

-s" switch "show source" to PHP via the query string. For example, You could see the source via " https://localhost/test.php?-s " . A remote unauthenticated attacker could obtain sensitive information, cause a denial of service condition or may be able to execute arbitrary code with the privileges of the web server. According to advisory (CVE-2012-1823) , PHP-CGI installations are vulnerable to remote code execution. You can pass command-line arguments like the "" switch "" to PHP via the query string. For example, You could see the source via "" . A remote unauthenticated attacker could obtain sensitive information, cause a denial of service condition or may be able to execute arbitrary code with the privileges of the web server.





The team that found the bug, known as Eindbazen . They said that it had been waiting for several months for the PHP Group to release a patch for the vulnerability in order to publish information about the bug.





What this vulnerability can do ? It can help attacker to find out database passwords, file locations etc and Execute any file on the server's local disk. Most important , using some trick if you have the possibility to upload a file to the server, execute any code.





So, When PHP is used in a CGI-based setup the php-cgi receives a processed query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to disclose source code and obtain arbitrary code execution.