cbcvebase.
CVE-2012-2336
published 2012-05-11

CVE-2012-2336: sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that…

PriorityP270medium5CVSS 2.0
AVNACLAuNCNINAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
50.72%
98.8th percentile
sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to cause a denial of service (resource consumption) by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'T' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823.

Affected

107 ranges· showing 25
VendorProductVersion rangeFixed in
phpphp<= 5.3.12
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp

Detection & IOCsextracted from sources · hover to see the quote

url/?-dallow_url_include%3don+-dauto_prepend_file%3dphp://input
path/cgi-bin/php
command-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n
  • Detect PHP-CGI argument injection by looking for HTTP requests where the query string contains no '=' character but includes URL-encoded PHP CLI flags (e.g., %2D%64 / -d, %2D%6E / -n) separated by '+' characters targeting php-cgi paths such as /cgi-bin/php.
  • Alert on HTTP requests to php-cgi endpoints where the query string begins with a '+- ' sequence, as this pattern is specifically associated with the incomplete CVE-2012-1823 fix bypass (CVE-2012-2335/CVE-2012-2336).
  • Detect exploitation attempts by monitoring for HTTP POST requests to CGI-handled PHP scripts with query strings containing URL-encoded '-d auto_prepend_file=php://input' and a POST body containing PHP code, combined with Content-Type: application/x-www-form-urlencoded.
  • Vulnerability check probe: detect HTTP requests to php-cgi with query string '?-s' (source display flag); a 200 response containing PHP source markup indicates a vulnerable target.
  • Monitor for HTTP responses containing 'Parse error:' or 'Warning:' strings in reply to CGI query-string probe requests, as exploit tools use these patterns to confirm PHP-CGI vulnerability.
  • ·This vulnerability only affects PHP when deployed as a CGI binary (php-cgi). PHP running as an Apache module (mod_php) is NOT affected.
  • ·CVE-2012-2336 is an incomplete fix for CVE-2012-1823; systems patched to PHP 5.3.12 / 5.4.2 (the initial CVE-2012-1823 fix) remain vulnerable. The complete fix requires PHP 5.3.13+ or 5.4.3+.
  • ·The exploit also bypasses several PHP hardening settings (safe_mode, open_basedir, disable_functions, suhosin) by injecting -d directives via the query string, so those controls cannot be relied upon as mitigations on vulnerable php-cgi versions.

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
vulncheck9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.