Notice: Monitoring services will be discontinued from March 31st, 2019.
Vulnerabilities in PHP CGI Query String Code Execution is a high-risk vulnerability that is one of the most frequently found on networks around the world. This issue has been around since at least 1990 but has proven either difficult to detect, difficult to resolve or prone to being overlooked entirely.
According to PHP’s website, “PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML.” When PHP is used in a CGI-based setup (such as Apache’s mod_cgid), the php-cgi receives a processed query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to disclose source code and obtain arbitrary code execution.
An example of the -s command, allowing an attacker to view the source code of index.php is below:
http://localhost/index.php?-s
An error in the file 'sapi/cgi/cgi_main.c' can allow a remote attacker to obtain PHP source code from the web server or to potentially execute arbitrary code. sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the d case.
The solutions are :
- Apply update
Upgrading to version 9.5.x, 10.x or 11.x eliminates this vulnerability. It is possible to mitigate the problem by applying the configuration setting .htaccess config. The best possible mitigation is suggested to be upgrading to the latest version. The official statement by Parallels suggests: "All currently supported versions of Parallels Plesk Panel 9.5, 10.x and 11.x, as well Parallels Plesk Automation, are not vulnerable. If a customer is using legacy, and a no longer supported version of Parallels Plesk Panel, they should upgrade to the latest version.
- Apply mod_rewrite rule
PHP has stated an alternative is to configure your web server to not let these types of requests with query strings starting with a "-" and not containing a “=” through. Adding a rule like this should not break any sites. For Apache using mod_rewrite it would look like this:
RewriteCond %{QUERY_STRING} ^[^=]*$
RewriteCond %{QUERY_STRING} %2d|\- [NC]
RewriteRule .? - [F,L]
Servers set up to use FastCGI are not vulnerable. FastCGI is the most recommended method of installing PHP. So changing from CGI to FastCGI will improve the PHP security level.