⚠ Actively exploited

Added to CISA KEV on 2022-03-25. Federal agencies required to patch by 2022-04-15. Required action: Apply updates per vendor instructions..

CVE-2012-1823

CWE-77 — Command Injection CWE-20 — Improper Input Validation26 documents14 sources

Severity

9.8CRITICAL

EPSS

94.4%

top 0.03%

CISA KEV

KEV

Added 2022-03-25

Due 2022-04-15

Exploit

Exploited in wild

Active exploitation observed

Affected products

Apple MAC OS X PHP PHP Debian Debian Linux +14 more

Timeline

PublishedMay 11

KEV addedMar 25

KEV dueApr 15

Latest updateMay 14

CISA Required Action: Apply updates per vendor instructions.

Description

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages12 packages

▶NVDphp/php5.4.0 — 5.4.2+1

▶NVDapple/mac_os_x10.6.8 — 10.7.5+1

▶NVDhp/hp-uxb.11.23, b.11.31+1

▶NVDredhat/storage2.0

▶NVDopensuse/opensuse11.4, 12.1+1

Also affects: Debian Linux 6.0, Fedora 39, 40, Enterprise Linux 5.6, 6.1, 6.2, 5.3

Patches

Patch: www.php.net ↗Patch: bugs.php.net ↗Patch: bugs.php.net ↗

🔴Vulnerability Details

GHSA

GHSA-3p37-hv77-x3rp: sapi/cgi/cgi_main↗2022-05-14

▶

CVEList

CVE-2012-1823: sapi/cgi/cgi_main↗2012-05-11

▶

VulnCheck

PHP-CGI Query String Parameter Vulnerability↗2012

▶

💥Exploits & PoCs

Exploit-DB

Apache + PHP < 5.3.12 / < 5.4.2 - Remote Code Execution + Scanner↗2013-10-31

▶

Exploit-DB

Apache + PHP < 5.3.12 / < 5.4.2 - cgi-bin Remote Code Execution↗2013-10-29

▶

Exploit-DB

PHP < 5.3.12 / < 5.4.2 - CGI Argument Injection↗2012-05-05

▶

Exploit-DB

PHP 5.3.12/5.4.2 - CGI Argument Injection (Metasploit)↗2012-05-04

▶

Nuclei

PHP CGI v5.3.12/5.4.2 Remote Code Execution

▶

🔍Detection Rules

Suricata

ET WEB_SERVER PHP.//Input in HTTP POST↗2014-11-25

▶

Suricata

ET EXPLOIT Zollard PHP Exploit UA Outbound↗2013-12-10

▶

📋Vendor Advisories

CISA

PHP-CGI Query String Parameter Vulnerability↗2022-03-25

▶

Ubuntu

PHP vulnerability↗2012-05-04

▶

Red Hat

php: command line arguments injection when run in CGI mode (VU#520827)↗2012-05-03

▶

🕵️Threat Intelligence

Unit42

Network Attack Trends: Internet of Threats (August-October 2020)↗2021-01-22

▶

Unit42

Network Attack Trends: Attackers Leveraging High Severity and Critical Exploits (May-July 2020)↗2020-09-15

▶

Talos

PHP-CGI vulnerability - exploits in the wild and Snort coverage↗2012-05-08

▶

Talos

PHP-CGI vulnerability - exploits in the wild and Snort coverage↗2012-05-08

▶

💬Community

Bugzilla

CVE-2012-2335 php: incomplete CVE-2012-1823 fix - insecure wrapper↗2012-05-11

▶

Bugzilla

CVE-2012-2336 php: incomplete CVE-2012-1823 fix - missing filtering of -T and -h↗2012-05-10

▶

Bugzilla

CVE-2012-2311 php: incomplete CVE-2012-1823 fix - incorrect check for =↗2012-05-04

▶

Bugzilla

CVE-2012-1823 php: command line arguments injection when run in CGI mode (VU#520827)↗2012-05-03

▶

Bugzilla

CVE-2012-1823 php: command line arguments injection when run in CGI mode (VU#520827) [fedora-all]↗2012-05-03

▶