The US CERT is warning of a critical vulnerability in PHP which has been disclosed, by mistake, to the public while the developers are still working on a fix. The vulnerability affect servers that are running PHP in CGI mode; FastCGI for PHP installations are not affected.

The team discovered the problem during a capture-the-flag competition. The essence of the problem is that, because it is possible to call the PHP CGI program with special URLs, it is also possible to foist command-line parameters on it. For example, if the provided URL was



http://localhost/index.php?-s

then this would ensure that the web server php-cgi would be called with the -s flag, which would in turn output the PHP source code of index.php as HTML rather than executing it. That would be a bad enough problem in itself because PHP applications often contain critical information such as credentials to access databases. But according to the discoverers of the flaw, it can also be used to directly inject code and run it, raising the hole to the highest threat level.

Disclosure like this should only take place after the publication of a patch to fix the hole. The discoverers had passed their find to the US-CERT which acted as an intermediary. Yesterday, the CTF team had agreed to give the PHP developers enough time to test the existing patch, but it was accidentally posted as "public" in the PHP bug database and then highlighted in a posting on Reddit, at which point the cat was out of the bag. The CTF team published information afterwards about the PHP vulnerability.

The US-CERT does not currently have a feasible way for users to protect themselves. The discoverers of the hole suggest that you replace the PHP CGI program with a wrapper script that filters the parameters before calling the actual PHP program. They also provide a suitable example script. Since the PHP team is already testing a patch, there should be an official solution to the problem soon.

Update - The PHP developers have released PHP 5.3.12 and PHP 5.4.2 which they say eliminates the vulnerability. The developers also note that, as CGI is "a rather outdated way to run PHP" and it may not be possible to update PHP in that situation, for administrators in that position they recommend configuring the web server to not allow requests with query strings starting with a "-" and not containing a "=" through. For Apache mod_rewrite, they suggest adding the rule



RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]

RewriteRule ^(.*) $1? [L]

Update 2 - The discoverers of the bug say, in an update to their blog post, that they found the official fix contains a bug which "makes the fix trivial to bypass". They recommend the use of other mitigations such as their wrapper script or rewrite rules. They add that new versions of PHP which incorporate a revised version of the fix "will be released soon".

(djwm)