homepage Welcome to WebmasterWorld Guest from 107.20.37.62
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Critical security issue in PHP
when used in CGI - based setup
jecasc




msg:4449202
 7:08 am on May 4, 2012 (gmt 0)

[kb.cert.org...]

When PHP is used in a CGI-based setup (such as Apache's mod_cgid), the php-cgi receives a processed query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to disclose source code and obtain arbitrary code execution.

An example of the -s command, allowing an attacker to view the source code of index.php is below:

http://localhost/index.php?-s



Ouch. According to the PHP website, this has been around for the last eight years.

PHP has released versions PHP 5.3.12 and PHP 5.4.2, as well as an official mod_rewrite based workaround:

[php.net...]

 

coopster




msg:4459898
 1:20 pm on May 31, 2012 (gmt 0)

And PHP 5.4.3 was also released on May 8. Anybody know the percentage of CGI versus mod_php installations?

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved