CVE-2012-1823

Published: 3 May 2012

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case.

From the Ubuntu Security Team

It was discovered that PHP, when used as a stand alone CGI processor for the Apache Web Server, did not properly parse and filter query strings. This could allow a remote attacker to execute arbitrary code running with the privilege of the web server. Configurations using mod_php5 and FastCGI were not vulnerable.

Notes

Fix was incomplete, see CVE-2012-2311

Status

References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823
• http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
• https://ubuntu.com/security/notices/USN-1437-1
• NVD
• Launchpad
• Debian

Bugs

• https://bugs.php.net/bug.php?id=61910