New PHP exploit CVE-2012-1823

Discussion in 'Coding, Scripting & Programming' started by peterw, Nov 6, 2013.

Tags:
  1. peterw

    peterw New Member

    800
    189
    Jun 14, 2013
    PHP 5.x Remote Code Execution Exploit available since 2013-10-29. Usage found in logs since 2013-11-04.


    sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script
    (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character,
    which allows remote attackers to execute arbitrary code by placing command-line options in the
    query string, related to lack of skipping a certain php_getopt for the 'd' case.

    The user agent string changes so there are different versions of the exploit available:


    212.62.X.X - - "POST /cgi-bin/php5?%2D%64+%61%6C%6C .."

    Ubuntu 12.04 LTS is still on 5.3.10 but due to backport save.

    So please update your systems and restart the webserver.
     
    patz likes this.
  2. splitice

    splitice Just a little bit crazy... Verified Provider

    550
    252
    Jun 16, 2013
    Pretty old bug by the looks of it, dotdeb is on PHP 5.4.21 now.
     
  3. peterw

    peterw New Member

    800
    189
    Jun 14, 2013
    Old bug but new exploit.
     
  4. scv

    scv Massive Nerd Verified Provider

    205
    98
    May 30, 2013
    scv
    Who puts a php binary in their docroot? This exploit is nothing more than a rehash of a very old technique.
     
  5. RiotSecurity

    RiotSecurity New Member

    310
    37
    Jun 24, 2013
    Sorry, am I missing something?

    It's a year old...
     
  6. splitice

    splitice Just a little bit crazy... Verified Provider

    550
    252
    Jun 16, 2013
    Original release date:05/11/2012

    Last revised:07/20/2013
     
  7. talktosandy

    talktosandy New Member

    13
    2
    Nov 14, 2013
    is this working now?