PHP team makes another attempt to close critical CGI hole
The PHP development team has made another attempt to fix the critical vulnerability in the interaction with CGI. In CGI mode, PHP interprets certain URL parameters as command line parameters. This can, for example, cause affected servers to return the source code of a page if the
?-s character string is attached to the end of a URL (e.g.
http://www.h-online.com/?-s). Code can also be executed this way.
The details of the vulnerability were made public when the developers accidentally marked the relevant entry in the bug tracking system as "public". The vulnerability is being actively exploited for attacks. Originally, the problem was supposed to be fixed in versions 5.3.12 and 5.4.2, which were released last week. However, it was soon found that the updates provided an incomplete solution and that further ways of exploiting the hole appeared to exist. Security experts also say that the rewrite rule that was initially published as a workaround could easily be bypassed.
With the release of versions 5.3.13 and 5.4.3, the developers have renewed their promise that the hole has now been fixed – and first tests by PHP expert Christopher Kunz indicate that they have delivered this time. A buffer overflow in the
apache_request_headers function has also been fixed in the 5.4 branch. Details about this hole have also been available on the net since last week. Security expert Georg Wicherski says that the vulnerability involves a stack buffer overflow that can only be exploited on systems that run PHP in CGI mode. Reportedly, the vulnerability can be exploited in combination with components such as the lighttpd web server.
At the end of last week, Wicherski also released a simple PoC exploit. He says that he became aware of the problem from the entry in the bug tracking database. The developer explained that, while the hole was marked as "private" to make its details inaccessible to the public, the displayed vulnerability name was enough for him to track it down in the PHP source code within 5 minutes.
Meanwhile, Facebook has taken the opportunity to use the CGI flaw for its own purposes. Visitors to http://facebook.com/?-s will find PHP code which directs them to a recruitment page for a security engineer.