Security

Mitigation Instructions for CVE-2012-1823

Written by CyRisk Vulnerability Management Team | Mar 21, 2023 6:54:07 PM

SUBJECT: CVE-2012-1823 PHP-CGI Query String Parameter Vulnerability

TECH STACK: PHP before 5.3.12 and 5.4.x before 5.4.2

DATE(S) ISSUED: 05/11/2012

CRITICALITY: HIGH

OVERVIEW:

CVE-2012-1823 is a vulnerability in the way that the PHP-CGI (Common Gateway Interface) script handler processes certain types of HTTP requests. The vulnerability allows an attacker to execute arbitrary code on the server by including maliciously crafted data in the query string of an HTTP request.

The vulnerability affects PHP versions 5.3.9 and earlier, and it was discovered and disclosed in May 2012. It is considered a critical vulnerability due to the ability of an attacker to execute arbitrary code on the server.

NIST Description: sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case.

https://nvd.nist.gov/vuln/detail/CVE-2012-1823

THREAT INTELLIGENCE:

CISA has added CVE-2012-1823 to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerability. This vulnerability is a frequent attack vector for malicious cyber actors of all types and poses significant risk to the federal enterprise. 

https://www.cisa.gov/known-exploited-vulnerabilities-catalog

SOLUTION:

To patch the PHP-CGI query string parameter vulnerability (CVE-2012-1823), you will need to update to a fixed version of PHP. The fixed version of PHP is 5.3.10 or later.

Here are the steps to update PHP on a Unix-based system (such as Linux or macOS):

  1. Check the version of PHP that is currently installed on your system. You can do this by running the following command:

$ php -v

  1. If the version of PHP that is installed on your system is vulnerable to the PHP-CGI query string parameter vulnerability (i.e., it is a version prior to 5.3.10), you will need to update to a fixed version.
  2. Download the latest version of PHP from the official website (https://www.php.net/downloads.php).
  3. Extract the downloaded file using the following command:

$ tar xzf php-5.X.X.tar.gz

**Replace "5.X.X" with the version number of the downloaded file.

  1. Change to the extracted directory using the following command:

$ cd php-5.X.X

  1. Configure the PHP build using the following command:

$ ./configure

  1. Build and install PHP using the following commands:

$ make

$ make install

These commands will build and install the latest version of PHP on your system, which should include a fix for the PHP-CGI query string parameter vulnerability.

It is important to note that you will need to have administrator privileges on the system to install the updated version of PHP.

In addition to updating PHP, it is also a good idea to follow best practices for securing systems and networks, including implementing strong passwords, keeping systems

up-to-date with the latest security patches, and limiting access to the PHP-CGI script handler to trusted users.

 

REFERENCES:

APPLE:APPLE-SA-2012-09-19-2

URL:http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html

CERT-VN:VU#520827

URL:http://www.kb.cert.org/vuls/id/520827

CERT-VN:VU#673343

URL:http://www.kb.cert.org/vuls/id/673343

CONFIRM:http://support.apple.com/kb/HT5501

CONFIRM:http://www.php.net/ChangeLog-5.php#5.4.2

CONFIRM:http://www.php.net/archive/2012.php#id2012-05-03-1

CONFIRM:https://bugs.php.net/bug.php?id=61910

CONFIRM:https://bugs.php.net/patch-display.php?bug_id=61910&patch=cgi.diff&revision=1335984315&display=1

DEBIAN:DSA-2465

URL:http://www.debian.org/security/2012/dsa-2465

H:HPSBMU02786

URL:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041

HP:HPSBUX02791

URL:http://marc.info/?l=bugtraq&m=134012830914727&w=2

HP:SSRT100856

URL:http://marc.info/?l=bugtraq&m=134012830914727&w=2

HP:SSRT100877

URL:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041

MANDRIVA:MDVSA-2012:068

URL:http://www.mandriva.com/security/advisories?name=MDVSA-2012:068

MISC:http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/

REDHAT:RHSA-2012:0546

URL:http://rhn.redhat.com/errata/RHSA-2012-0546.html

REDHAT:RHSA-2012:0547

URL:http://rhn.redhat.com/errata/RHSA-2012-0547.html

REDHAT:RHSA-2012:0568

URL:http://rhn.redhat.com/errata/RHSA-2012-0568.htm

REDHAT:RHSA-2012:0569

URL:http://rhn.redhat.com/errata/RHSA-2012-0569.html

REDHAT:RHSA-2012:0570

URL:http://rhn.redhat.com/errata/RHSA-2012-0570.html

SECTRACK:1027022

URL:http://www.securitytracker.com/id?1027022

SECUNIA:49014

URL:http://secunia.com/advisories/49014

SECUNIA:49065

URL:http://secunia.com/advisories/49065

SECUNIA:49085

URL:http://secunia.com/advisories/49085

SECUNIA:49087

URL:http://secunia.com/advisories/49087

SUSE:SUSE-SU-2012:0598

URL:http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00007.html

SUSE:SUSE-SU-2012:0604

URL:http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00011.html

SUSE:openSUSE-SU-2012:0590

URL:http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00002.html