An important PHP security update

[Posted May 3, 2012 by corbet]

PHP 5.3.12 and 5.4.2 have been released to fix a nasty security hole that was disclosed somewhat sooner than planned. Essentially, it allows any remote attacker to pass command-line arguments to the PHP interpreter behind a web page—but only in the (hopefully rare) setups where PHP is invoked via the CGI mechanism. "If you are using Apache mod_cgi to run PHP you may be vulnerable. To see if you are just add ?-s to the end of any of your URLs. If you see your source code, you are vulnerable. If your site renders normally, you are not."

An important PHP security update

Posted May 3, 2012 21:52 UTC (Thu) by abadidea (guest, #62082) [Link] (1 responses)

Someone on the team who disclosed this (https://twitter.com/bl4sty/statuses/198163058412101632) and the Suhosin guy (https://twitter.com/i0n1c/statuses/198158078913417216) both claim the patch is still buggy.

An important PHP security update

Posted May 3, 2012 23:57 UTC (Thu) by rvolgers (guest, #63218) [Link]

It is. Please see our blog for ongoing updates: http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/

The current PHP patch (which is in the newly released PHP updates) has the following line:

+ if(*decoded_query_string == '-' && strchr(decoded_query_string, '=') == NULL) {

The second decoded_query_string should just be query_string. The current fix can be bypassed by having a %3d sequence in your query string.

At least they are consistent

Posted May 4, 2012 1:03 UTC (Fri) by jmayer (guest, #595) [Link] (1 responses)

The people who brought you this beautiful feature also brought you this. Referenced here, which in turn was referenced on lwn.

At least they are consistent

Posted May 4, 2012 17:59 UTC (Fri) by drag (guest, #31333) [Link]

What's more is that they actually had code in place to properly protect against this sort of attack in 2004, but removed it.

A developer realized that the protection against this sort of attack was interfering with some of the regression tests so he deleted it. Nobody replied to his email explaining why the code check was needed.

Really bizarre stuff.

An important PHP security update

Posted May 4, 2012 1:20 UTC (Fri) by xtifr (guest, #143) [Link] (3 responses)

So FCGI is ok? (I don't have PHP installed, let alone deployed; I'm just curious.)

An important PHP security update

Posted May 4, 2012 2:14 UTC (Fri) by cortana (subscriber, #24596) [Link]

Seems to be (using mod_fcgid to be precise).

An important PHP security update

Posted May 4, 2012 2:29 UTC (Fri) by jmayer (guest, #595) [Link] (1 responses)

If I understand the problem description correctly (and I'm neither a web server expert nor a php expert) in order to trigger this problem you need to run php-scripts via the cgi module. If you run them via the fcgi or php modules your system shouldn't provide this feature.

An important PHP security update

Posted May 4, 2012 23:49 UTC (Fri) by branden (guest, #7029) [Link]

You know you're reading an article on the PHP language when a security hole is described, even inadvertently, as a "feature". ;-)

An important PHP security update

Posted May 4, 2012 5:53 UTC (Fri) by philipstorry (subscriber, #45926) [Link]

Thank you for including details of how to test for this quickly and easily. That's an immense help for busy sysadmins. :-)

An important PHP security update

Posted May 5, 2012 16:29 UTC (Sat) by slashdot (guest, #22014) [Link] (2 responses)

Does anybody use PHP as CGI in practice?

I just tested a ?-s query on something like 20-30 PHP sites randomly found via Google, and none were vulnerable.

An important PHP security update

Posted May 6, 2012 8:49 UTC (Sun) by TRS-80 (guest, #1804) [Link] (1 responses)

http://facebook.com/?-s

An important PHP security update

Posted May 6, 2012 14:19 UTC (Sun) by anselm (subscriber, #2796) [Link]

It seems that there are still people who didn't get that this is a little joke (hint: follow the link that is in the »source code« Facebook returns for that request).

Note that Facebook, on their live sites, uses the PHP language but not the standard PHP implementation. It is therefore highly unlikely that bugs in the stock PHP interpreter would impact them at all.