Hash: SHA1

                         AUSCERT Security Bulletin

       A vulnerability has been identified in PHP prior to versions
                             5.3.12 and 5.4.2
                                4 May 2012


        AusCERT Security Bulletin Summary

Product:              PHP
Operating System:     UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                      Access Confidential Data        -- Remote/Unauthenticated
Resolution:           Mitigation
CVE Names:            CVE-2012-1823  
Member content until: Sunday, June  3 2012

Comment: Some sources have stated that these updates do not correct the 
         reported vulnerability, and as such additional mitigation information 
         has been provided.


        A vulnerability has been identified in PHP prior to versions 5.3.12 and
        5.4.2. [1]


        The vendor has provided the following details regarding this
        vulnerability which has been assigned CVE-2012-1823:
        "There is a vulnerability in certain CGI-based setups (Apache+mod_php 
        and nginx+php-fpm are not affected) that has gone unnoticed for at 
        least 8 years. Section 7 of the CGI spec states:
        Some systems support a method for supplying a [sic] array of strings to 
        the CGI script. This is only used in the case of an `indexed' query. 
        This is identified by a "GET" or "HEAD" HTTP request with a URL search 
        string not containing any unencoded "=" characters. 
        So, requests that do not have a "=" in the query string are treated 
        differently from those who do in some CGI implementations. For PHP 
        this means that a request containing ?-s may dump the PHP source code 
        for the page, but a request that has ?-s&=1 is fine.
        A large number of sites run PHP as either an Apache module through 
        mod_php or using php-fpm under nginx. Neither of these setups are
        vulnerable to this. Straight shebang-style CGI also does not appear to 
        be vulnerable.
        If you are using Apache mod_cgi to run PHP you may be vulnerable. To 
        see if you are, just add ?-s to the end of any of your URLs. If you 
        see your source code, you are vulnerable. If your site renders 
        normally, you are not." [1]
        While the vendor states that the updated version of PHP will correct
        this issue, the Einbbazen blog where the original disclosure of the 
        vulnerability was made has stated that:
        "The new PHP release is buggy. You can use their mitigation mod_rewrite 
        rule, but the patch and new released versions do not fix the 
        problem." [2]
        The Eindbazen blog also provides additional methods to mitigate this
        issue, however as these are not official vendor supplied mitigations 
        they should be used at your own risk. [2]


        The vendor has provided the following details regarding available 
        updates and a workaround:
        "To fix this, update to PHP 5.3.12 or PHP 5.4.2.
        We recognize that since CGI is a rather outdated way to run PHP, it may 
        not be feasible to upgrade these sites to a modern version of PHP. An 
        alternative is to configure your web server to not let these types of 
        requests with query strings starting with a "-" and not containing a 
        "=" through. Adding a rule like this should not break any sites. For 
        Apache using mod_rewrite it would look like this:
                 RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
                 RewriteRule ^(.*) $1? [L]
        If you are writing your own rule, be sure to take the urlencoded ?%2ds 
        version into account." [1]


        [1] PHP 5.3.12 and PHP 5.4.2 Released!

        [2] Eindbazen PHP-CGI advisory (CVE-2012-1823)

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967