PHP could allow access to the CGI SAPI

php-cgi-sapi-access (11343)

Medium Risk

Description:

PHP fails to properly restrict access to the CGI SAPI module. If a Web server has this module enabled, a remote attacker could access the CGI binary and use it to read any file readable by the owner of the Web server process, and possibly execute arbitrary PHP code on the Web server by injecting PHP code into a file readable by the CGI binary.

Platforms Affected:

• Gentoo, Linux
• OpenPKG, OpenPKG 1.2
• OpenPKG, OpenPKG CURRENT
• PHP, PHP 4.3.0

Remedy:

Upgrade to the latest version of PHP (4.3.1 or later), available from the PHP Web site. See References.

For OpenPKG containing the php package:
Upgrade to the latest php package, as listed below. Refer to OpenPKG Security Advisory OpenPKG-SA-2002.010 for more information. See References.

OpenPKG CURRENT: 4.3.1-20030218 or later
OpenPKG 1.2: 4.3.0-1.2.1 or later

For OpenPKG containing the apache package:
Upgrade to the latest apache package, as listed below. Refer to OpenPKG Security Advisory OpenPKG-SA-2002.010 for more information. See References.

OpenPKG CURRENT: 1.3.27-20030218 or later
OpenPKG 1.2: 1.3.27-1.2.1or later

For Gentoo Linux:
Upgrade to the latest version of mod_php php (mod_php-4.3.1 or later), as listed in Gentoo Linux Security Announcement 200302-09.1. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Access

References:

• BugTraq Mailing List, Mon Feb 17 2003 - 12:01:14 CST , PHP Security Advisory: CGI vulnerability in PHP version 4.3.0 at http://archives.neohapsis.com/archives/bugtraq/2003-02/0193.html.
• Gentoo Linux Security Announcement 200302-09.1, mod_php -- arbitrary code execution at http://www.linuxsecurity.com/content/view/104617/104/. (From LinuxSecurity archive)
• PHP Security Advisory February 17, 2003, CGI vulnerability in PHP version 4.3.0 at http://www.php.net/release_4_3_1.php.
• PHP Web site, PHP: Downloads at http://www.php.net/downloads.php.
• BID-6875: PHP CGI SAPI Code Execution Vulnerability
• CVE-2003-0097: Unknown vulnerability in CGI module for PHP 4.3.0 allows attackers to access arbitrary files as the PHP user, and possibly execute PHP code, by bypassing the CGI force redirect settings (cgi.force_redirect or --enable-force-cgi-redirect).
• OpenPKG-SA-2003.010: PHP

Reported:

Feb 17, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page