Dutch Security experts accidentally find a dangerous PHP-CGI vulnerability that could allow an attacker for remote code execution and source code disclosure.
Researchers found this vulnerability while playing the Nullcon CTF. The found that giving the query string ‘?-s’ somehow resulted in the “-s” command line argument being passed to php, resulting in source code disclosure. After further analysis, they revealed that the bug has been around since 2004.
Researcher said, "as long as your exploit contains a urlencoded ‘=’ character it will bypass the new checks" .
The vulnerability has been discovered in January, 2012, researchers informed to the PHP a few days later. In early February, CERT was also informed of the bug’s existence and PHP has been working on a fix ever since.
On May 2, CERT told the experts that PHP needed more time to address the issue and they agreed to hold off its publication, but apparently, someone made a mistake and erroneously posted the bug details on Reddit.
Normally, they would have allowed PHP to do its work and fix the weakness, but because of this incident De Eindbazen decided to come forward and make it public.
"We’ve tested this and have confirmed that the query parameters are passed to the php5-cgi binary in this configuration. Since the wrapper script merely passes all the arguments on to the actual php-cgi binary, the same problem exists with configurations where php-cgi is directly copied into the cgi-bin directory. It’s interesting to note that while slashes get added to any shell metacharacters we pass in the query string, spaces and dashes (‘-’) are not escaped. So we can pass as many options to PHP as we want!" researchers said in the PHP-CGI advisory CVE-2012-1823 vulnerability.
The flaw affects only classic CGI, FastCGI servers not being vulnerable.