PHP vulnerability in CGI mode
There is a vulnerability on some CGI-based settings (Apache + mod_php and Nginx + PHP-FPM is not affected), which remained unnoticed for at least 8 years. Section 7 of the CGI specification states :
So requests that do not contain the "=" sign are processed differently for some CGI implementations. For PHP, this means that the query that contains ? -S can merge the PHP source of the page, but with the query ? -S & = 1, everything is fine.
A large number of sites run PHP either as an Apache module via mod_php, or using PHP-FPM under Nginx. None of these methods are vulnerable to this. Direct work with CGI is also not affected by this vulnerability.
If you use Apache mod_cgi to run PHP, then you may be vulnerable. To make sure you need to add to the end of any URL ? -S . If you see the source code, then you are vulnerable. If your site opens, then everything is likely in order.
')
To fix this, upgrade to PHP 5.3.12 or PHP 5.4.2.
We recognize that using CGI is a rather outdated way to run PHP, and it may not be possible to update sites to the latest version of PHP. Alternatively, you can configure the web server to prevent requests of this kind that begin with "-" and do not contain "=" . Adding this rule should not affect the operation of the site. For Apache that use mod_rewrite, it will look like this:
If you write your rules, do not forget to take into account the urlencoded ?% 2ds version.
A bad week has gotten worse. We had a bug in our bugtracker, which switched the private flag of the error report to public in the comment to the error message, which made this problem public before we tested the solutions to the level we needed. Please report all problems via bugs.php.net .
To download PHP 5.3.12 or PHP 5.4.2, visit the download page . Windows binaries are available at windows.php.net/download/ . There is a change log .
Some systems support a method for passing [sic] an array of strings to a CGI script. Used only in the case of "index" queries. GET or HEAD is defined as an HTTP request with a URL search string that does not contain uncoded "=" characters.
So requests that do not contain the "=" sign are processed differently for some CGI implementations. For PHP, this means that the query that contains ? -S can merge the PHP source of the page, but with the query ? -S & = 1, everything is fine.
A large number of sites run PHP either as an Apache module via mod_php, or using PHP-FPM under Nginx. None of these methods are vulnerable to this. Direct work with CGI is also not affected by this vulnerability.
If you use Apache mod_cgi to run PHP, then you may be vulnerable. To make sure you need to add to the end of any URL ? -S . If you see the source code, then you are vulnerable. If your site opens, then everything is likely in order.
')
To fix this, upgrade to PHP 5.3.12 or PHP 5.4.2.
We recognize that using CGI is a rather outdated way to run PHP, and it may not be possible to update sites to the latest version of PHP. Alternatively, you can configure the web server to prevent requests of this kind that begin with "-" and do not contain "=" . Adding this rule should not affect the operation of the site. For Apache that use mod_rewrite, it will look like this:
RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
RewriteRule ^(.*) $1? [L]If you write your rules, do not forget to take into account the urlencoded ?% 2ds version.
A bad week has gotten worse. We had a bug in our bugtracker, which switched the private flag of the error report to public in the comment to the error message, which made this problem public before we tested the solutions to the level we needed. Please report all problems via bugs.php.net .
To download PHP 5.3.12 or PHP 5.4.2, visit the download page . Windows binaries are available at windows.php.net/download/ . There is a change log .
Source: https://habr.com/ru/post/143331/
All Articles