BID:53388

PHP 'php-cgi' Information Disclosure Vulnerability

Info

PHP 'php-cgi' Information Disclosure Vulnerability

Bugtraq ID:	53388
Class:	Unknown
CVE:	CVE-2012-1823 CVE-2012-2311 CVE-2012-2336 CVE-2012-2335
Remote:	Yes
Local:	No
Published:	May 04 2012 12:00AM
Updated:	Apr 13 2015 10:15PM
Credit:	De Eindbazen
Vulnerable:	Ubuntu Ubuntu Linux 8.04 LTS sparc Ubuntu Ubuntu Linux 8.04 LTS powerpc Ubuntu Ubuntu Linux 8.04 LTS lpia Ubuntu Ubuntu Linux 8.04 LTS i386 Ubuntu Ubuntu Linux 8.04 LTS amd64 Ubuntu Ubuntu Linux 12.04 LTS i386 Ubuntu Ubuntu Linux 12.04 LTS amd64 Ubuntu Ubuntu Linux 11.10 i386 Ubuntu Ubuntu Linux 11.10 amd64 Ubuntu Ubuntu Linux 11.04 powerpc Ubuntu Ubuntu Linux 11.04 i386 Ubuntu Ubuntu Linux 11.04 ARM Ubuntu Ubuntu Linux 11.04 amd64 Ubuntu Ubuntu Linux 10.04 sparc Ubuntu Ubuntu Linux 10.04 powerpc Ubuntu Ubuntu Linux 10.04 i386 Ubuntu Ubuntu Linux 10.04 ARM Ubuntu Ubuntu Linux 10.04 amd64 Turbolinux Client 2008 Turbolinux Appliance Server 3.0 x64 Turbolinux Appliance Server 3.0 Turbolinux 11 Server x64 Turbolinux 11 Server 0 SuSE SUSE Linux Enterprise Server for VMware 11 SP2 + Linux kernel 2.6.5 SuSE SUSE Linux Enterprise Server for VMware 11 SP1 + Linux kernel 2.6.5 SuSE SUSE Linux Enterprise Server 11 SP2 + Linux kernel 2.6.5 SuSE SUSE Linux Enterprise Server 11 SP1 SuSE SUSE Linux Enterprise Server 10 SP4 SuSE SUSE Linux Enterprise Server 10 SP3 LTSS SuSE SUSE Linux Enterprise SDK 11 SP2 SuSE SUSE Linux Enterprise SDK 11 SP1 SuSE SUSE Linux Enterprise SDK 10 SP4 S.u.S.E. openSUSE 12.1 S.u.S.E. openSUSE 11.4 Redhat Enterprise Linux Workstation Optional 6 Redhat Enterprise Linux Workstation 6 Redhat Enterprise Linux Server Optional EUS 6.1 Redhat Enterprise Linux Server Optional EUS 6.0 Redhat Enterprise Linux Server Optional 6 Redhat Enterprise Linux Server EUS 6.1.z Redhat Enterprise Linux Server EUS 6.0 Redhat Enterprise Linux Server 6 Redhat Enterprise Linux Long Life 5.3 Server Redhat Enterprise Linux HPC Node Optional 6 Redhat Enterprise Linux HPC Node 6 Redhat Enterprise Linux EUS 5.6.z server Redhat Enterprise Linux Desktop Workstation 5 client Redhat Enterprise Linux Desktop Optional 6 Redhat Enterprise Linux 5 Server PHP PHP 5.4.2 PHP PHP 5.4.1 PHP PHP 5.3.12 PHP PHP 5.3.9 PHP PHP 5.3.8 PHP PHP 5.3.7 PHP PHP 5.3.6 PHP PHP 5.3.2 PHP PHP 5.3.1 PHP PHP 5.3.5 PHP PHP 5.3.4 PHP PHP 5.3.3 PHP PHP 5.3.10 Parallels Parallels Plesk Panel 9.5.4 Parallels Parallels Plesk Panel 9.3 Parallels Parallels Plesk Panel 9.2 Parallels Parallels Plesk Panel 9.0 Parallels Parallels Plesk Panel 8.6 Oracle Enterprise Linux 6.2 Oracle Enterprise Linux 6 Oracle Enterprise Linux 5 Mandriva Linux Mandrake 2011 x86_64 Mandriva Linux Mandrake 2011 Mandriva Linux Mandrake 2010.1 x86_64 Mandriva Linux Mandrake 2010.1 MandrakeSoft Enterprise Server 5 x86_64 MandrakeSoft Enterprise Server 5 Juniper CTPView 4.6 Juniper CTPView 4.5 Juniper CTPView 4.4 Juniper CTPView 4.3 Juniper CTPView 4.2 IBM Lotus Foundations Start 1.2.2a IBM Lotus Foundations Start 1.2 HP System Management Homepage 7.2 HP System Management Homepage 7.1.2 HP System Management Homepage 7.1.1 HP System Management Homepage 7.1 HP System Management Homepage 7.0 HP System Management Homepage 6.3 HP System Management Homepage 6.2 HP System Management Homepage 6.1 HP System Management Homepage 6.0 HP HP-UX B.11.31 Gentoo Linux Debian Linux 6.0 sparc Debian Linux 6.0 s/390 Debian Linux 6.0 powerpc Debian Linux 6.0 mips Debian Linux 6.0 ia-64 Debian Linux 6.0 ia-32 Debian Linux 6.0 arm Debian Linux 6.0 amd64 Avaya Voice Portal 5.1.2 Avaya Voice Portal 5.1.1 Avaya Voice Portal 5.1 SP1 Avaya Voice Portal 5.1 Avaya Voice Portal 5.1 Avaya Voice Portal 5.0 SP2 Avaya Voice Portal 5.0 SP1 Avaya Voice Portal 5.0 Avaya IP Office Application Server 8.1 Avaya IP Office Application Server 8.0 Avaya IP Office Application Server 7.0 Avaya IP Office Application Server 6.1 Avaya IP Office Application Server 6.0 Avaya Aura Session Manager 5.2 SP2 Avaya Aura Session Manager 5.2 SP1 Avaya Aura Session Manager 5.2 Avaya Aura Messaging 6.1 + Avaya Communication Manager Server DEFINITY Server SI/CS + Avaya Communication Manager Server S8100 + Avaya Communication Manager Server S8300 + Avaya Communication Manager Server S8500 + Avaya Communication Manager Server S8700 Avaya Aura Messaging 6.0.1 + Avaya Communication Manager Server DEFINITY Server SI/CS + Avaya Communication Manager Server S8100 + Avaya Communication Manager Server S8300 + Avaya Communication Manager Server S8500 + Avaya Communication Manager Server S8700 Avaya Aura Messaging 6.0 Avaya Aura Communication Manager Utility Services 6.2 Avaya Aura Communication Manager Utility Services 6.1 + Avaya Communication Manager Server DEFINITY Server SI/CS + Avaya Communication Manager Server S8100 + Avaya Communication Manager Server S8300 + Avaya Communication Manager Server S8500 + Avaya Communication Manager Server S8700 Avaya Aura Communication Manager Utility Services 6.0 Avaya Aura Communication Manager 6.0.1 + Avaya Communication Manager Server DEFINITY Server SI/CS + Avaya Communication Manager Server S8100 + Avaya Communication Manager Server S8300 + Avaya Communication Manager Server S8500 + Avaya Communication Manager Server S8700 Avaya Aura Communication Manager 6.0 + Avaya Communication Manager Server DEFINITY Server SI/CS + Avaya Communication Manager Server S8100 + Avaya Communication Manager Server S8300 + Avaya Communication Manager Server S8500 + Avaya Communication Manager Server S8700 Avaya Aura Application Enablement Services 5.2.1 Avaya Aura Application Enablement Services 6.1.1 Avaya Aura Application Enablement Services 6.1 Avaya Aura Application Enablement Services 5.2.3 Avaya Aura Application Enablement Services 5.2.2 Avaya Aura Application Enablement Services 5.2 Apple Mac OS X Server 10.7.5 Apple Mac OS X Server 10.7.3 Apple Mac OS X Server 10.7.2 Apple Mac OS X Server 10.7.1 Apple Mac OS X Server 10.7 Apple Mac OS X Server 10.6.8 Apple Mac OS X 10.8.1 Apple Mac OS X 10.8 Apple Mac OS X 10.7.4 Apple Mac OS X 10.7.3 Apple Mac OS X 10.7.2 Apple Mac OS X 10.7.1 Apple Mac OS X 10.7 Apple Mac OS X 10.6.8

Not Vulnerable:	PHP PHP 5.3.13 Juniper CTPView 7.0R1 IBM Lotus Foundations Start 1.2.2b HP System Management Homepage 7.2.1 HP System Management Homepage 7.1.1 Apple Mac OS X 10.8.2 Apple Mac OS X 10.7.5

Exploit / POC

PHP 'php-cgi' Information Disclosure Vulnerability

An attacker can exploit this issue through a browser.

The following example URI and exploit codes are available:

http://www.example.com/index.php?-s

/data/vulnerabilities/exploits/53388-2.py
/data/vulnerabilities/exploits/53388.php
/data/vulnerabilities/exploits/53388-3.py
/data/vulnerabilities/exploits/53388.pl
/data/vulnerabilities/exploits/53388.zip
/data/vulnerabilities/exploits/53388.c
/data/vulnerabilities/exploits/53388-4.py
/data/vulnerabilities/exploits/53388-5.py
/data/vulnerabilities/exploits/53388.rb
/data/vulnerabilities/exploits/53388-1.py

References

PHP 'php-cgi' Information Disclosure Vulnerability

References:

Eindbazen PHP-CGI advisory (CVE-2012-1823) (De Eindbazen)
HPSBUX02791 SSRT100856 rev.1 - HP-UX Apache Web Server running PHP, Remote Execu (HP)
Lotus Foundations Start ProductPage (IBM)
Parallels Plesk Panel: PHP-CGI remote code execution vulnerability (CVE-2012-182 (Parallels)
Parallels Plesk Panel: phppath/PHP vulnerability (Parallels)
PHP CGI Argument Injection Exploit (Rapid7)
PHP Homepage (PHP)
Plesk Apache Zeroday Remote Exploit (Fulldisclosure)
#61910 VU#520827 - PHP-CGI query string parameter vulnerability (PHP)
[security bulletin] HPSBMU02900 rev.3 - HP System Management Homepage (SMH) runn (HP)
2014-11 Security Bulletin: CTPView: Multiple Security vulnerabilities resolved b (Juniper)
ASA-2012-219 php53 security update (RHSA-2012-0547) (Avaya)
ASA-2012-298: php security update (RHSA-2012-1045) (Avaya)
Critical open hole in PHP creates risks - Update (H Security)
HPSBMU02786 SSRT100877 rev.1 - HP System Management Homepage (SMH) Running on Li (HP)
HPSBMU02900 rev.1 - HP System Management Homepage (SMH) running on Linux and Win (HP)
PHP 5.3.12 and PHP 5.4.2 Released! (PHP)
Security Bulletin: Lotus Foundations PHP Argument Command Injection (CVE-2012-18 (IBM)
Turbolinux Security Advisory TLSA-2012-14 (Turbolinux)
VU#673343 Parallels Plesk Panel phppath/php vulnerability (CERT)
Vulnerability Note VU#520827 PHP-CGI query string parameter vulnerability (De Eindbazen)