PHP CGI Query String Parameters Command Execution
Added: 05/15/2012CVE: CVE-2012-1823
BID: 53388
OSVDB: 81633
Background
PHP is a widely used general-purpose scripting language that is especially suited for Web development.Problem
When configured as a CGI script (aka php-cgi), PHP does not properly handle query string parameters which are passed directly to the php-cgi program. This can be exploited to execute arbitrary system commands or disclose the PHP source code.Resolution
Upgrade PHP to version 5.4.3 or 5.3.13 or higher.References
http://secunia.com/advisories/49014http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823
Limitations
This exploit has been tested against PHP 5.3.10 on Windows XP SP3 and PHP 5.4.0 on Ubuntu 11.10 Linux.Platforms
WindowsLinux
Mac OS X
Back to exploit index