Dutch security experts from De Eindbazen have found a dangerous PHP-CGI flaw that could be remotely leveraged by an attacker for command execution and source code disclosure.
According to the researchers, while playing Nullcon CTF, they’ve noticed that if they input an “?-s” query string, it results in a “-s” command line argument that’s passed to PHP.
Further analysis has revealed that the bug has been around since 2004, when apparently PHP developers forgot about a section of the CGI RFC that refers to the script command line. On the other hand, Apache developers respected this rule.
The team found the vulnerability in January, 2012, the PHP Group being notified of its presence a few days later. In early February, CERT was also informed of the bug’s existence and PHP has been working on a fix ever since.
On May 2, CERT told the experts that PHP needed more time to address the issue and they agreed to hold off its publication, but apparently, someone made a mistake and erroneously posted the bug details on Reddit.
Normally, they would have allowed PHP to do its work and fix the weakness, but because of this incident De Eindbazen decided to come forward and make it public.
In the proof of concept they made, the researchers revealed that Dreamhost, the host that’s utilized by Nullcon, recommends customers who want to modify their php.ini configuration files to run the sites through a CGI wrapper that uses a shell script which wraps php5-cgi.
“We’ve tested this and have confirmed that the query parameters are passed to the php5-cgi binary in this configuration. Since the wrapper script merely passes all the arguments on to the actual php-cgi binary, the same problem exists with configurations where php-cgi is directly copied into the cgi-bin directory,” they explained.
“It’s interesting to note that while slashes get added to any shell metacharacters we pass in the query string, spaces and dashes (‘-’) are not escaped. So we can pass as many options to PHP as we want! There is one slight complication: php5-cgi behaves differently depending on which environment variables have been set, disabling the flag -r for direct code execution among others.”
Until a permanent fix is released, De Eindbazen recommends the use of a small wrapper binary around the php-cgi binary or the use of a PHP patch which disables argument parsing if php-cgi is invoked as non-fastcgi CGI.
The flaw affects only classic CGI, FastCGI servers not being vulnerable.