New PHP-CGI exploit: CVE-2012-1823, Badly affecting php scripts

Recently some folks reported an interesting and nasty bug with php which will allow an intruder to view the source code and access the file systems.

As per the update from php ( http://php.net ) , this bug has gone unnoticed for at least past 8 years .

# Who all are affected ?

If you are using Apache mod_cgi to run PHP you may be vulnerable to this bug.

# Are you safe ?

Just pass the argument “ ?-s “ to any of  your php pages and see.  Are you shocked ???
If you pass the following arguments in your site , say example.com :

1 ) http://example.com/index.php?-s
Will dump your source code of the file index.php ( in simple words it will display the content of the file index.php )

2) http://example.com/index.php?-dauto_prepend_file%3d/etc/passwd+-n
Will display your /etc/passwd file !!!!!!!

# Which all php versions are affected ?

The PHP Group – PHP 5.3.11,PHP 5.3.10, 5.4.0 and  5.4.1

# How to fix ?

To fix this, upgrade your php to PHP 5.3.12 or PHP 5.4.2.

# Any Patch ?

Yes , php has provided  a temporary work around . I have tested and confirmed ( in php 5.3.10 )that  this will close the loop hole .
Apply the following rewrite rule in your sites DocumentRoot .htaccess file .

 
         RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
         RewriteRule ^(.*) $1? [L]

 

# More Reference ?
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/

http://www.php.net/archive/2012.php#id2012-05-03-1