PhpRiot
News Archive
PhpRiot Newsletter
Your Email Address:

More information

PHP 5.3.12 and 5.4.2 releases about CGI flaw (CVE-2012-1823)

Note: This article was originally published at PHP.net news & announcements on 7 May 2012.
PHP.net news & announcements

PHP 5.3.12/5.4.2 do not fix all variations of the CGI issues described in CVE-2012-1823. It has also come to our attention that some sites use an insecure cgiwrapper script to run PHP. These scripts will use $* instead of "$@" to pass parameters to php-cgi which causes a number of issues. Again, people using mod_php or php-fpm are not affected.

One way to address these CGI issues is to reject the request if the query string contains a '-' and no '='. It can be done using Apache's mod_rewrite like this: RewriteCond %{QUERY_STRING} ^[^=]*$ RewriteCond %{QUERY_STRING} %2d|\- [NC] RewriteRule .? - [F,L] Note that this will block otherwise safe requests like ?top-40 so if you have query parameters that look like that, adjust your regex accordingly.

Another set of releases are planned for Tuesday, May, 8th. These releases will fix the CGI flaw and another CGI-related issue in apache_request_header (5.4 only).

We apologize for the inconvenience created with these releases and the (lack of) communication around them.