PHP CGI Query String Parameters Command Execution

Added: 05/15/2012
CVE: CVE-2012-1823
BID: 53388
OSVDB: 81633

Background

PHP is a widely used general-purpose scripting language that is especially suited for Web development.

Problem

When configured as a CGI script (aka php-cgi), PHP does not properly handle query string parameters which are passed directly to the php-cgi program. This can be exploited to execute arbitrary system commands or disclose the PHP source code.

Resolution

Upgrade PHP to version 5.4.3 or 5.3.13 or higher.

References

http://secunia.com/advisories/49014
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823

Limitations

This exploit has been tested against PHP 5.3.10 on Windows XP SP3 and PHP 5.4.0 on Ubuntu 11.10 Linux.

Platforms

Windows
Linux
Mac OS X

Back to exploit index