New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
New PHP vulnerability when using mod_cgi
http://www.php.net/archive/2012.php#id2012-05-03-1
tl;dr: if you're using mod_cgi (not fcgi), adding ?-s to a PHP page may reveal its source code.
Thanked by 1mrm2005
Comments
That is not good at all!
This is as bad as when vBulletin let you type "database" in the FAQ and it showed you the config.php file. LoL
"has gone unnoticed for at least 8 years."
YEs is the best part.
But these days having an install with CGI is strange...
(btw Dreamhost allow a cgi mode... I was doing some modification in an account ¬¬)
Not fastcgi?
I tried on lighty CGI/FastCGI 5.3.2 but no luck to see the source
No. Read the description.
what description
This is not a bug, it's clearly a feature.
I tried on lighty CGI/FastCGI 5.3.2 but no luck to see the source
Don't remember where, but it is not vulnerable.
Apparently the PHP developers have known this one for months.
oucchhh.. mann that's serious :-/
This isn't Hack Forums, guys. Can we not post that kind of stuff here?
EDIT: @NateN34. Obviously posting security warnings is good. Posting "Hey, here's a server that's vulnerable".... not so much.
What does this exactly do that makes the code display?
My guess is it stops the PHP executing it, so just displays it in the browser instead.
It passes the -s argument to the PHP CGI process. So basically it becomes (incomplete, pseudo example) php scriptname.php -s
From php --help:
-s Output HTML syntax highlighted source.
lol @ the guy from FL. (66.177.11.109) who has decided to go around testing everyone on this board for the vulnerability. Unless someone is using CentOS 4 or some other ancient setup, you're not going to find anything.
@subigo I had 213.197.226.1 try it on freevps.us
I tried it on a few sites of friends and found one affected, warned him and now fixed
who still uses php as cgi? I thought that only windows-lamp-test installations do/did that.
Yeah, I have tried to find vulnerable sites but the result is there are hardly anyone using mod_cgi
Looks like the official fix isn't effective.....
http://developers.slashdot.org/story/12/05/05/1435209/recently-exposed-php-holes-official-fix-ineffective?utm_source=rss1.0mainlinkanon&utm_medium=feed
wiredmikey writes "On Wednesday, a remote code execution vulnerability in PHP was accidentally exposed to the Web, prompting fears that it may be used to target vulnerable websites on a massive scale. The bug itself was traced back to 2004, and came to light during a recent CTF competition. 'When PHP is used in a CGI-based setup (such as Apache's mod_cgid), the php-cgi receives a processed query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to disclose source code and obtain arbitrary code execution,' a CERT explains. PHP developers pushed a fix for the flaw, resulting in the release of PHP 5.3.12 and 5.4.2, but as it turns out it didn't actually remove the vulnerability."
more info here (the reporters of the bug):
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
I have a client running CentOS 3 with mod_cgi. I've alerted them of the issue. They probably won't care. Some clients never want anything changed.
http://facebook.com/?-s
Haha, it only appears on FaceBooks front page.
I was talking about this
In the description
Dafuq!!! Facebook :S
Haha love the Facebook joke
Someone apply pls!
haha nice way to hire security engineers
FB developers have known the hole before PHP developers did???
It was just added.