PHP patch quick but inadequate
The updates to PHP versions 5.3.12 and 5.4.2 released on Thursday do not fully resolve the vulnerability that was accidentally disclosed on Reddit, according to the discoverer of the flaw. The bug in the way CGI and PHP interact with each other leads to a situation where attackers can execute code on affected servers. The issue remained undiscovered for eight years.
The best protection at present is offered by setting up filter rules on the web server. However, the RewriteRule workaround described on PHP.net is also, according to security expert Christopher Kunz, inadequate. He suggests a slightly modified form of the rule as an alternative.
Because the PHP interpreter for CGI does not comply with the specifications laid out in the CGI standard, URL parameters can, under certain circumstances, be passed to PHP as command line arguments. Servers which run PHP in CGI mode are affected; FastCGI PHP installations are not. The PHP patch is supposed to ensure that parameter strings beginning with a minus sign and which do not contain an equals sign are ignored. According to the discoverer of the vulnerability, this can be bypassed easily. A new, slightly modified patch which uses
query_string instead of
decoded_query_string for one comparison has already been submitted to the bug tracking system.
Users can determine whether they are affected by the bug by appending the string
?-s to a URL. If the server returns PHP source code, rapid action is required. A Metasploit module which opens a remote shell for executing arbitrary code on vulnerable servers is already available.