3 min read

Mitigation Instructions for CVE-2012-1823

CyRisk Vulnerability Management Team : Mar 21, 2023 2:54:07 PM

security

Mitigation Instructions for CVE-2012-1823

SUBJECT: CVE-2012-1823 PHP-CGI Query String Parameter Vulnerability

TECH STACK: PHP before 5.3.12 and 5.4.x before 5.4.2

DATE(S) ISSUED: 05/11/2012

CRITICALITY: HIGH

OVERVIEW:

CVE-2012-1823 is a vulnerability in the way that the PHP-CGI (Common Gateway Interface) script handler processes certain types of HTTP requests. The vulnerability allows an attacker to execute arbitrary code on the server by including maliciously crafted data in the query string of an HTTP request.

The vulnerability affects PHP versions 5.3.9 and earlier, and it was discovered and disclosed in May 2012. It is considered a critical vulnerability due to the ability of an attacker to execute arbitrary code on the server.

NIST Description: sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case.

https://nvd.nist.gov/vuln/detail/CVE-2012-1823

THREAT INTELLIGENCE:

CISA has added CVE-2012-1823 to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerability. This vulnerability is a frequent attack vector for malicious cyber actors of all types and poses significant risk to the federal enterprise.

https://www.cisa.gov/known-exploited-vulnerabilities-catalog

SOLUTION:

To patch the PHP-CGI query string parameter vulnerability (CVE-2012-1823), you will need to update to a fixed version of PHP. The fixed version of PHP is 5.3.10 or later.

Here are the steps to update PHP on a Unix-based system (such as Linux or macOS):

Check the version of PHP that is currently installed on your system. You can do this by running the following command:

$ php -v

If the version of PHP that is installed on your system is vulnerable to the PHP-CGI query string parameter vulnerability (i.e., it is a version prior to 5.3.10), you will need to update to a fixed version.
Download the latest version of PHP from the official website (https://www.php.net/downloads.php).
Extract the downloaded file using the following command:

$ tar xzf php-5.X.X.tar.gz

**Replace "5.X.X" with the version number of the downloaded file.

Change to the extracted directory using the following command:

$ cd php-5.X.X

Configure the PHP build using the following command:

$ ./configure

Build and install PHP using the following commands:

$ make

$ make install

These commands will build and install the latest version of PHP on your system, which should include a fix for the PHP-CGI query string parameter vulnerability.

It is important to note that you will need to have administrator privileges on the system to install the updated version of PHP.

In addition to updating PHP, it is also a good idea to follow best practices for securing systems and networks, including implementing strong passwords, keeping systems

up-to-date with the latest security patches, and limiting access to the PHP-CGI script handler to trusted users.

REFERENCES:

APPLE:APPLE-SA-2012-09-19-2

URL:http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html

CERT-VN:VU#520827

URL:http://www.kb.cert.org/vuls/id/520827

CERT-VN:VU#673343

URL:http://www.kb.cert.org/vuls/id/673343

CONFIRM:http://support.apple.com/kb/HT5501

CONFIRM:http://www.php.net/ChangeLog-5.php#5.4.2

CONFIRM:http://www.php.net/archive/2012.php#id2012-05-03-1

CONFIRM:https://bugs.php.net/bug.php?id=61910