PHP-CGI Query String Parameter Vulnerability
A serious PHP vulnerability has been released today. Only sites running PHP as a CGI script are affected. From php.net:
Some systems support a method for supplying a [sic] array of strings to the CGI script. This is only used in the case of an ‘indexed’ query. This is identified by a “GET” or “HEAD” HTTP request with a URL search string not containing any unencoded “=” characters.
By constructing a URL similar to the following on a PHP-CGI site, an attacker could dump the highlighted source of that script.
http://example.com/index.php?-sphp.net has issued a patch to fix this issue in PHP 5.3.12 or PHP 5.4.2. However, as pointed out by De Eindbazen, the patch is trivial to bypass.
A workaround has been provided by php.net using Apache’s mod_rewrite:
RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC] RewriteRule ^(.*) $1? [L]Other mitigation options have been proposed by De Eindbazen, but you may find the mod_rewrite method to be the best approach until a PHP releases a better fix.
