cbcvebase.
CVE-2012-2311
published 2012-05-11

CVE-2012-2311: sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that…

PriorityP277high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
68.85%
99.3th percentile
sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that contain a %3D sequence but no = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823.

Affected

106 ranges· showing 25
VendorProductVersion rangeFixed in
phpphp<= 5.3.12
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp

Detection & IOCsextracted from sources · hover to see the quote

url/?-dallow_url_include%3don+-dauto_prepend_file%3dphp://input
path/cgi-bin/php
command-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n
  • Detect exploit attempts by looking for query strings containing %3D (URL-encoded '=') with no literal '=' character in the query string, combined with PHP CGI command-line flags such as -d in the URI.
  • Detect HTTP requests to PHP CGI paths (e.g., /cgi-bin/php) where the query string contains URL-encoded PHP CLI flags: look for %2D%64 (decoded: -d), allow_url_include, auto_prepend_file=php://input patterns in the URI.
  • Inspect HTTP response bodies for PHP error strings 'Parse error:' or 'Warning:' in response to crafted CGI query strings as a vulnerability confirmation indicator used by scanners.
  • Monitor for use of Tor exit node IP addresses and dynamic DNS domains as source addresses in exploitation traffic targeting CVE-2012-2311 and CVE-2012-1823.
  • Flag HTTP POST requests to PHP CGI endpoints where Content-Type is application/x-www-form-urlencoded and the body contains PHP webshell or reverse shell code (e.g., proc_open, stream_select patterns).
  • ·CVE-2012-2311 is specifically triggered only when PHP is deployed as a CGI script (php-cgi); PHP running as a module (mod_php) or via FastCGI is not affected by this attack vector.
  • ·This vulnerability is an incomplete fix for CVE-2012-1823; systems patched only for CVE-2012-1823 (PHP < 5.3.12 / 5.4.x < 5.4.2) but not updated to 5.3.13 / 5.4.3 remain exploitable via the %3D bypass.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.