Date: 04 May 2012
References: ESB-2012.0439 ASB-2012.0070 ESB-2012.0454 ESB-2012.0461 ESB-2012.0464 ESB-2012.0559.2 ESB-2012.0619 ESB-2012.0622 ESB-2012.0899 ESB-2013.0835
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2012.0066
A vulnerability has been identified in PHP prior to versions
5.3.12 and 5.4.2
4 May 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: PHP
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Mitigation
CVE Names: CVE-2012-1823
Member content until: Sunday, June 3 2012
Comment: Some sources have stated that these updates do not correct the
reported vulnerability, and as such additional mitigation information
has been provided.
OVERVIEW
A vulnerability has been identified in PHP prior to versions 5.3.12 and
5.4.2. [1]
IMPACT
The vendor has provided the following details regarding this
vulnerability which has been assigned CVE-2012-1823:
"There is a vulnerability in certain CGI-based setups (Apache+mod_php
and nginx+php-fpm are not affected) that has gone unnoticed for at
least 8 years. Section 7 of the CGI spec states:
Some systems support a method for supplying a [sic] array of strings to
the CGI script. This is only used in the case of an `indexed' query.
This is identified by a "GET" or "HEAD" HTTP request with a URL search
string not containing any unencoded "=" characters.
So, requests that do not have a "=" in the query string are treated
differently from those who do in some CGI implementations. For PHP
this means that a request containing ?-s may dump the PHP source code
for the page, but a request that has ?-s&=1 is fine.
A large number of sites run PHP as either an Apache module through
mod_php or using php-fpm under nginx. Neither of these setups are
vulnerable to this. Straight shebang-style CGI also does not appear to
be vulnerable.
If you are using Apache mod_cgi to run PHP you may be vulnerable. To
see if you are, just add ?-s to the end of any of your URLs. If you
see your source code, you are vulnerable. If your site renders
normally, you are not." [1]
While the vendor states that the updated version of PHP will correct
this issue, the Einbbazen blog where the original disclosure of the
vulnerability was made has stated that:
"The new PHP release is buggy. You can use their mitigation mod_rewrite
rule, but the patch and new released versions do not fix the
problem." [2]
The Eindbazen blog also provides additional methods to mitigate this
issue, however as these are not official vendor supplied mitigations
they should be used at your own risk. [2]
MITIGATION
The vendor has provided the following details regarding available
updates and a workaround:
"To fix this, update to PHP 5.3.12 or PHP 5.4.2.
We recognize that since CGI is a rather outdated way to run PHP, it may
not be feasible to upgrade these sites to a modern version of PHP. An
alternative is to configure your web server to not let these types of
requests with query strings starting with a "-" and not containing a
"=" through. Adding a rule like this should not break any sites. For
Apache using mod_rewrite it would look like this:
RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
RewriteRule ^(.*) $1? [L]
If you are writing your own rule, be sure to take the urlencoded ?%2ds
version into account." [1]
REFERENCES
[1] PHP 5.3.12 and PHP 5.4.2 Released!
http://www.php.net/archive/2012.php#id2012-05-03-1
[2] Eindbazen PHP-CGI advisory (CVE-2012-1823)
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBT6Naru4yVqjM2NGpAQJrNRAAk+kcLzaV3I0/ZXnUYXF89J2/mxDhq6Xe
nEqk6VSOVtJjrdpna5ulWuR0z1qjT84A1QHxPQvbuFqwzEtTAbpL5Fj5QRF1VbgL
GEL4ue1fVWBsUn5EFN4LT1TY/T+x4jK8QuL4l+hF4XRjDi7N5OeVrdngyORiBL28
R/GJ3XFMNuL+rUJjWqTlkeEUb6swNRbn+I4gkcwzqpG8q07MswKIGJMZWLu+kVDX
iPZviJgof07Ng6sPa2vEAZOlMdgfwaJgFORtptNyTT2Nw9Ag8mDxFeGz08fzrBwv
X511uBO51dLkk18esJEzPmsg6/ehd+6x89fVeHYd3nsOKX6RKkwVjfS3NlBe3XAU
BTT4RMS+t59sV1GCv1TL+FYRZq7Oyc3QdrnMAx/DEI8L9Ms90kAD1Xbj+yNW1kTU
51BIRlPprdGkP3a7IW+ev6crTARfBHAolz3e1u2Ru0l//S3LygKMIOG49zsAJZYL
BVzSgZqf7TBSE/y2Ys1DKi5A2gbvlxVsD/siagwfgYEs9pZmKwxNJt0QWLpC6Fes
ky+1KwFYcz4JlIOqHOQP8or+z1/mRa3jNo5Rv51lgDhzcGup4f01nYnDXEXkS2/U
6MxeA2q3RxaKDSwIxX6mzO18r6QJiaSucnbRxJTwgSpIFXRBF4w2c9bICOqVLfh5
Q+qho63EaME=
=t/K4
-----END PGP SIGNATURE-----
|