|
MA-309.052012 : MyCERT Alert - Critical Vulnerability in PHP-CGI
Date first published: 2012-05-04
1.0 Introduction A critical vulnerability has been reported in PHP CGI-based setup, which can be exploited and allow a remote attacker to disclose source code and obtain arbitrary code execution. [1] However Apache+mod_php and nginx+php-fpm are not affected by this vulnerability. [2] PHP is used in a CGI-based setup (such as Apache's mod_cgid), the php-cgi receives a processed query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary. [1] 2.0 Impact By exploiting these vulnerabilities, it allows a remote attacker to obtain sensitive information, cause a denial of service condition or may be able to execute arbitrary code with the privileges of the web server. [1][3] 3.0 Affected Products
- PHP (with CGI-based setup) up to version 5.3.12 and 5.4.2
4.0 Recommendation We are aware that PHP already released PHP 5.3.12 and PHP 5.4.2 to address this issue, however the official PHP patch contains a bug, which makes the fix trivial to bypass. Users are recommended to use any of the the following workarounds: Generally, MyCERT advises the users of this software to be updated with the latest security announcements by the vendor. For any enquiries, MyCERT can be reached through the following channels: E-mail : mycert@mycert.org.my
Phone : 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : CYBER999 REPORT to 15888
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: http://www.mycert.org.my 5.0 References
|
