You are here

PHP-CGI query string parameter vulnerability: define custom deny rule


On May 3th 2012, the US-CERT published the vulnerability CVE-2012-1823, which allows to pass any command line option to a cgi/php instance.

An example of the "-s" command, allowing an attacker to view the source code of index.php:


Airlock does not have a default rule to block this kind of requests yet. A custom deny rule can be configured to defend these attacks.

Most of todays real life php instances are not vulnerable (see "Systems Affected:").


Since the parameter name is affected, a new deny rule filter for parameter names is required:

Deny rule for paramater name:

Name: Deny rule for PHP-CGI CVE-2012-1823
Comment: Rule to prevent remote code execution in PHP-CGI installation
Path: (default) No Restriction
HTTP Method: (default) No Restriction
Content Type: (default) No Restriction
IP: (default) No Restriction
Parameter Name: PHP-CGI pattern
ParameterValue: (default) No Restriction
Activate Param Check: On

Parameter name pattern:

Name: PHP-CGI pattern
Comment: Detects shell options strings
Pattern: (^|[[:space:]])-?-[[:alpha:]]
Ignore Case: On
Invert: Off

Enable this rule in the corresponding mappings and activate the configuration.

Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Back-ends may be vulnerable, see resolution