Attack against PHP-CGI - DoS, Code disclosure and more...
Note: This article was originally published at Planet PHP
on 3 May 2012.
There is a new PHP bug that just became public today (leaked accidentially, it seems...). A flaw in the PHP CGI's input sanitation process allows attackers to set command-line options via the query string.This behavior seems to be an oversight / misplaced design decision from 2004 and is only exploitable in specific web servers. Apache is one of them...
This opens interesting opportunities. I have blogged about those here: New Exploit @ php-security.net
By the way, Suhosin partially mitigates one of the easier remote code execution vectors that are opened through this attack.