SUBJECT: CVE-2012-1823 PHP-CGI Query String Parameter Vulnerability
TECH STACK: PHP before 5.3.12 and 5.4.x before 5.4.2
DATE(S) ISSUED: 05/11/2012
CRITICALITY: HIGH
OVERVIEW:
CVE-2012-1823 is a vulnerability in the way that the PHP-CGI (Common Gateway Interface) script handler processes certain types of HTTP requests. The vulnerability allows an attacker to execute arbitrary code on the server by including maliciously crafted data in the query string of an HTTP request.
The vulnerability affects PHP versions 5.3.9 and earlier, and it was discovered and disclosed in May 2012. It is considered a critical vulnerability due to the ability of an attacker to execute arbitrary code on the server.
NIST Description: sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case.
https://nvd.nist.gov/vuln/detail/CVE-2012-1823
THREAT INTELLIGENCE:
CISA has added CVE-2012-1823 to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerability. This vulnerability is a frequent attack vector for malicious cyber actors of all types and poses significant risk to the federal enterprise.
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
SOLUTION:
To patch the PHP-CGI query string parameter vulnerability (CVE-2012-1823), you will need to update to a fixed version of PHP. The fixed version of PHP is 5.3.10 or later.
Here are the steps to update PHP on a Unix-based system (such as Linux or macOS):
$ php -v
$ tar xzf php-5.X.X.tar.gz
**Replace "5.X.X" with the version number of the downloaded file.
$ cd php-5.X.X
$ ./configure
$ make
$ make install
These commands will build and install the latest version of PHP on your system, which should include a fix for the PHP-CGI query string parameter vulnerability.
It is important to note that you will need to have administrator privileges on the system to install the updated version of PHP.
In addition to updating PHP, it is also a good idea to follow best practices for securing systems and networks, including implementing strong passwords, keeping systems
up-to-date with the latest security patches, and limiting access to the PHP-CGI script handler to trusted users.
REFERENCES:
APPLE:APPLE-SA-2012-09-19-2
URL:http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html
CERT-VN:VU#520827
URL:http://www.kb.cert.org/vuls/id/520827
CERT-VN:VU#673343
URL:http://www.kb.cert.org/vuls/id/673343
CONFIRM:http://support.apple.com/kb/HT5501
CONFIRM:http://www.php.net/ChangeLog-5.php#5.4.2
CONFIRM:http://www.php.net/archive/2012.php#id2012-05-03-1
CONFIRM:https://bugs.php.net/bug.php?id=61910
CONFIRM:https://bugs.php.net/patch-display.php?bug_id=61910&patch=cgi.diff&revision=1335984315&display=1
DEBIAN:DSA-2465
URL:http://www.debian.org/security/2012/dsa-2465
H:HPSBMU02786
URL:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041
HP:HPSBUX02791
URL:http://marc.info/?l=bugtraq&m=134012830914727&w=2
HP:SSRT100856
URL:http://marc.info/?l=bugtraq&m=134012830914727&w=2
HP:SSRT100877
URL:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041
MANDRIVA:MDVSA-2012:068
URL:http://www.mandriva.com/security/advisories?name=MDVSA-2012:068
MISC:http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
REDHAT:RHSA-2012:0546
URL:http://rhn.redhat.com/errata/RHSA-2012-0546.html
REDHAT:RHSA-2012:0547
URL:http://rhn.redhat.com/errata/RHSA-2012-0547.html
REDHAT:RHSA-2012:0568
URL:http://rhn.redhat.com/errata/RHSA-2012-0568.htm
REDHAT:RHSA-2012:0569
URL:http://rhn.redhat.com/errata/RHSA-2012-0569.html
REDHAT:RHSA-2012:0570
URL:http://rhn.redhat.com/errata/RHSA-2012-0570.html
SECTRACK:1027022
URL:http://www.securitytracker.com/id?1027022
SECUNIA:49014
URL:http://secunia.com/advisories/49014
SECUNIA:49065
URL:http://secunia.com/advisories/49065
SECUNIA:49085
URL:http://secunia.com/advisories/49085
SECUNIA:49087
URL:http://secunia.com/advisories/49087
SUSE:SUSE-SU-2012:0598
URL:http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00007.html
SUSE:SUSE-SU-2012:0604
URL:http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00011.html
SUSE:openSUSE-SU-2012:0590
URL:http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00002.html