PHP-CGI query string parameter vulnerability

Discussion in 'vBulletin Discussions' started by News Bot, May 5, 2012.

  1. News Bot

    News Bot Regular Member

    Joined:
    Apr 28, 2011
    Messages:
    429
    Likes Received:
    63
    Location:
    Cyber Space
    A vulnerability has been found in PHP installations accessed via CGI where an attacker can gain access to command line parameters of PHP and access the server through this vulnerability. This can allow them to manipulate websites outside the standard operating procedure. According to the report, servers set up to use FastCGI are not vulnerable. FastCGI is the recommended method of installing PHP today. However a lot of servers continue to use the CGI method of calling PHP.

    To see if your server uses CGI or FastCGI, look at your PHP Info (Maintenance -> View PHP Info) in your Admin Control Panel. The first table should have an entry for Server API. This should say "CGI/FASTCGI". If it only says "CGI" then you should contact your host so they can update the server to use FastCGI.

    PHP has released PHP 5.3.12 and 5.4.2 to try and counteract this issue but experts say it isn't adequate.

    For more information please see:
    http://www.kb.cert.org/vuls/id/520827
    http://www.h-online.com/open/news/it...2-1567532.html
    http://www.h-online.com/security/new...e-1568454.html

    Continue reading...
     
  2. Brandon

    Brandon Regular Member

    Joined:
    Jun 1, 2009
    Messages:
    6,602
    Likes Received:
    1,706
    Location:
    Topeka, Kansas
    First Name:
    Brandon
    whoa..
     
  3. SpacewardAsh

    SpacewardAsh Lurking From Space

    Joined:
    Jan 2, 2011
    Messages:
    211
    Likes Received:
    683
    Location:
    Falmouth, Cornwall, UK
    First Name:
    Ashley
    Very interesting, I usually run PHP under suphp and suhosin and not CGI or FastCGI. I've already asked my host for a security audit since I've had reports of multiple WordPress installations being targeted by "hackers" :(
     
  4. AWS

    AWS Administrator

    Joined:
    Feb 1, 2010
    Messages:
    1,612
    Likes Received:
    695
    Location:
    Joliet, IL U.S.A.
    First Name:
    Bob
    Wordpress had a zero day vulnerability which they just released a patch for last week. I was hacked by it although the site that was hacked had a very old version of WP because I had forgot I still had the site accessible to the web.

    During this Admin Addict was also hacked because the WP exploit was used to add an iframe in all index.php files on that server.

    This vulnerability has been in in PHP for at least 8 months and I'm surprised it was never fixed until someone posted the exploit code. Even then it still isn't properly fixed in the new version they released yesterday.
     

Share This Page