A remote-code execution vulnerability in PHP accidentally ended up released this week, leading to fears of an outbreak of attacks on sites built using vulnerable versions.
A team of researchers discovered the bug in January and reported it to the PHP Group. The developers were still in the process of building the patch for the flaw when it released.
The vulnerability is a simple one but it has serious consequences. Essentially, the researchers found when they passed a specific query string that contained the -s command to PHP in a CGI setup, PHP would interpret the -s as the command line argument and result in the disclosure of the source code for the application. They extended their testing and found they could pass whatever command-line arguments they wanted to the PHP binary.
“When PHP is used in a CGI-based setup (such as Apache’s mod_cgid), the php-cgi receives a processed query string parameter as command line arguments which allows command-line switches, such as -s, -d or –c to be passed to the php-cgi binary, which can be exploited to disclose source code and obtain arbitrary code execution,” US-CERT said in an advisory. “A remote unauthenticated attacker could obtain sensitive information, cause a denial of service condition or may be able to execute arbitrary code with the privileges of the web server.”
The team that found the bug, known as Eindbazen, said they waited for several months for the PHP Group to release a patch for the vulnerability in order to publish information about the bug. However, someone accidentally marked an internal PHP bug as public and it eventually posted to Reddit. So they published the details of their findings and how to exploit it.
“We’ve tested this and have confirmed that the query parameters are passed to the php5-cgi binary in this configuration. Since the wrapper script merely passes all the arguments on to the actual php-cgi binary, the same problem exists with configurations where php-cgi is directly copied into the cgi-bin directory. It’s interesting to note that while slashes get added to any shell metacharacters we pass in the query string, spaces and dashes (‘-’) are not escaped. So we can pass as many options to PHP as we want!” they wrote in their analysis of the PHP CVE-2012-1823 vulnerability.
PHP is a popular scripting language used in Web development. Since the time the Eindbazen team reported the bug to the PHP Group, there have been several new versions of the language released, with various other security fixes, but without a patch for the bug. Right now, there is no patch available for the flaw discovered by the Eindbazen team, however they list a couple of technical workarounds in their post.