You are here

Home › PHP-CGI query string parameter vulnerability: define custom deny rule

PHP-CGI query string parameter vulnerability: define custom deny rule

Submitted on 4. May 2012 - 14:34 by sd.
Last update on 17. January 2013 - 11:10.
IDs: 
CVE-2012-1823
Keywords: 
PHP-CGI
Description: 

On May 3th 2012, the US-CERT published the vulnerability CVE-2012-1823, which allows to pass any command line option to a cgi/php instance.

An example of the "-s" command, allowing an attacker to view the source code of index.php:

http://localhost/index.php?-s

Airlock does not have a default rule to block this kind of requests yet. A custom deny rule can be configured to defend these attacks.

Most of todays real life php instances are not vulnerable (see "Systems Affected:").

Resolution: 

Since the parameter name is affected, a new deny rule filter for parameter names is required:

Deny rule for paramater name:

Name: Deny rule for PHP-CGI CVE-2012-1823
Comment: Rule to prevent remote code execution in PHP-CGI installation
Path: (default) No Restriction
HTTP Method: (default) No Restriction
Content Type: (default) No Restriction
IP: (default) No Restriction
Parameter Name: PHP-CGI pattern
ParameterValue: (default) No Restriction
Activate Param Check: On

Parameter name pattern:

Name: PHP-CGI pattern
Comment: Detects shell options strings
Pattern: (^|[[:space:]])-?-[[:alpha:]]
Ignore Case: On
Invert: Off

Enable this rule in the corresponding mappings and activate the configuration.

Component: 
Airlock
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Back-ends may be vulnerable, see resolution
Reference: 
http://www.kb.cert.org/vuls/id/520827
http://www.php.net/archive/2012.php#id2012-05-03-1
http://www.php.net/manual/en/security.cgi-bin.php
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
© Ergon Informatik AG