Critical PHP vulnerability exposes servers to data theft -- or worse

PHP Group releases updates to fix vulnerability that allows a remote attacker to easily pass command-line switches to servers through URLs

A newly reported critical vulnerability in PHP enables would-be cyber criminals to steal source code or inject and run malware in PHP applications by adding command-line parameters to URLs. Fortunately, The PHP Group has announced updates to PHP that its says eliminates the vulnerability.

The vulnerability specifically affects the way PHP-CGI-based setups parse query string parameters from PHP files. FastCGI for PHP installations are not affected. The vulnerability can only be exploited if the HTTP server follows a fairly obscure part of the CGI spec, according to Eindbazen, the group of researchers that initially found the bug.

Eindbazen discovered the vulnerability back in January while playing Nullcon capture the flag, though it's existed since 2004. The group had been waiting for PHP Group to release a patch before publishing the bug information; however, someone reportedly marketed the bug as public, and it ended up posted to Reddit.

According to US-CERT, "When PHP is used in a CGI-based setup (such as Apache's mod_cgid), the php-cgi receives a processed query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to disclose source code and obtain arbitrary code execution. A remote unauthenticated attacker could obtain sensitive information, cause a denial of service condition or may be able to execute arbitrary code with the privileges of the Web server."

For example, an attacker could view the source code of index.php -- as well as critical credentials information -- by adding -s to the URL, like so: http://localhost/index.php?-s

Additionally, a remote attacker could exploit the vulnerability to cause a denial-of-service attack or possibly even execute code on the target Web server.

The PHP Group has advised that organizations affected by the vulnerability update to PHP 5.3.12 or PHP 5.4.2. "To see if you are [at risk], just add ?-s to the end of any of your URLs. If you see your source code, you are vulnerable. If your site renders normally, you are not," according to PHP Group's disclosure.

This story, "Critical PHP vulnerability exposes servers to data theft or worse," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Join the discussion
Be the first to comment on this article. Our Commenting Policies