CVE-2012-1823

CVSS 9.8 CRITICALEPSS 100.0%● KEVCWE-77

In short

PHP-CGI fails to properly parse query strings without an equals sign, allowing attackers to inject command-line options that execute arbitrary code on the server.

Technical detail

CVE-2012-1823 affects PHP configured as CGI when processing query strings lacking an '=' character. The vulnerability stems from improper handling of the 'd' case in php_getopt, enabling remote attackers to inject arbitrary command-line options via malformed query strings, leading to arbitrary code execution with the privileges of the web server process.

Summary generated and translated by AI from the official description.

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

n/a · n/a

public PoCs found — 15

githubgithub.com/0xl0k1/CVE-2012-1823★ 11 githubgithub.com/Unix13/metasploitable2★ 4 githubgithub.com/tardummy01/oscp_scripts-1★ 3 githubgithub.com/Dmitri131313/CVE-2012-1823-exploit-for-https-user-password-web★ 1 githubgithub.com/cyberharsh/PHP_CVE-2012-1823★ 1 githubgithub.com/hackherMind-Pixel/Vulnerable-Lab-Exploitation★ 1 githubgithub.com/drone789/CVE-2012-1823★ 1 githubgithub.com/nulltrace1336/PHP-CGI-Argument-Injection-Exploit★ 0 githubgithub.com/Jimmy01240397/CVE-2012-1823-Analyze★ 0 githubgithub.com/waburig/Open-Worldwide-Application-Security-Project-OWASP-★ 0 githubgithub.com/tryj/CVE-2012-1823---PHP-CGI---RCE★ 0 exploitdbwww.exploit-db.com/exploits/29290unverified exploitdbwww.exploit-db.com/exploits/29316unverified exploitdbwww.exploit-db.com/exploits/18834unverified exploitdbwww.exploit-db.com/exploits/18836unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041 http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00007.html http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00011.html http://marc.info/?l=bugtraq&m=134012830914727&w=2 http://rhn.redhat.com/errata/RHSA-2012-0546.html http://rhn.redhat.com/errata/RHSA-2012-0547.html http://rhn.redhat.com/errata/RHSA-2012-0568.html http://rhn.redhat.com/errata/RHSA-2012-0569.html http://rhn.redhat.com/errata/RHSA-2012-0570.html