JPCERT-AT-2012-0016
JPCERT/CC
2012-05-09 (First edition)
2012-05-10 (Updated)
<<< JPCERT/CC Alert 09.05.12 >>>
Vulnerability in PHP
https://www.jpcert.or.jp/english/at/2012/at120016.html
I. Overview
The PHP Group released information regarding a vulnerability in
php-cgi request processing. According to the PHP Group, when PHP is
running on a web server in CGI mode, a remote attacker could use this
vulnerability to view the source code of the PHP script or execute
arbitrary code with the privileges of the web server.
Attack methods that use this vulnerability have been released
publicly. Therefore, refer to “III. Confirmation method” to find
whether the servers managed can be affected by this vulnerability and
if so, we recommend updating PHP to the corrected version supplied by
the PHP Group.
PHP Group
#61910 VU#520827 - PHP-CGI query string parameter vulnerability
https://bugs.php.net/bug.php?id=61910
II. Products Affected
Affected versions are as follows:
- Earlier than PHP version 5.4.3
- Earlier than PHP version 5.3.13
III. Confirmation method
According to the PHP Group, when browsing a website with a URL
ending in “?-s” (option that displays the source code), if the
source code appears, your PC is affected by this vulnerability.
(Confirmation method example)
http://example.com/index.php?-s
* The above URL method is one of the examples.
* If both module mode and CGI mode might possibly be used, confirm
all the directories where PHP runs.
*** Update: information added on 10 May, 2012 ************************
Since a part of the vulnerability is corrected in PHP 5.4.2/PHP
5.3.12 released by the PHP Group on May 3, the source code may not
appear even if the confirmation method is taken.
**********************************************************************
IV. Solution
The PHP Group has released a version that corrects this
vulnerability. We recommend deploying the corrected version after
thorough testing.
Corrected versions
- PHP version 5.4.3
- PHP version 5.3.13
* Support for PHP 5.2 ended in January 2011, so we recommend that
anyone using versions 5.2 and older update to the latest version.
If you use PHP provided by a distributor, refer to information
supplied by them.
V. References
PHP Group
PHP 5.4.3 and PHP 5.3.13 Released!
http://www.php.net/archive/2012.php#id2012-05-08-1
PHP Group
#61910 VU#520827 - PHP-CGI query string parameter vulnerability
https://bugs.php.net/bug.php?id=61910
JVNVU#520827
PHP-CGI query string request processing vulnerability
https://jvn.jp/cert/JVNVU520827/index.html
*** Update: information added on 10 May, 2012 ************************
Debian
DSA-2465-1 php5 -- several vulnerabilities
http://www.debian.org/security/2012/dsa-2465
Canonical Ltd.
CVE-2012-2311 in Ubuntu
http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-2311.html
Novell, Inc.
SUSE-SU-2012:0604-1: critical: Security update for PHP5
http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00011.html
**********************************************************************
If you have any information regarding this alert, please contact
JPCERT/CC.
________
Revision history
2012-05-09 First edition
2012-05-10 Information added in “III. Confirmation method” and References.
======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600 FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/
Top