PHP CGI Query String Vulnerability Allowing Arbitrary Code Execution

A vulnerability exists in PHP versions prior to 5.3.12 and 5.4.x prior to 5.4.2, when PHP is run as a CGI script. The issue arises because the CGI executable improperly processes query strings that lack an equals sign, allowing remote attackers to inject command-line options that can be exploited to execute arbitrary code. This vulnerability is related to the 'd' command-line option and the way PHP's 'php_getopt' function handles query strings.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server, with the same privileges as the user running the PHP interpreter.

Reproduction

To reproduce this vulnerability, upload a PHP script to a server that is running PHP as a CGI module. Ensure that the server is configured to handle PHP scripts with 'php-cgi'. Then, send a request to the PHP script with a query string that includes a command-line option, such as '-s', without an equals sign. The 'php-cgi' executable will parse the query string as command-line arguments, leading to the execution of the injected option. For example, a request like 'index.php?-s' would trigger the vulnerability by dumping the PHP source code of the script.

Remediation

Users can upgrade to PHP versions 5.3.13 or 5.4.3, both of which include patches that address this vulnerability. After upgrading, the web server should be restarted to apply the changes.