PHP-CGI remote code execution
Description
PHP, when running in CGI mode (such as with Apache's mod_cgid), is vulnerable to remote code execution due to improper handling of query string parameters. The php-cgi binary processes query strings as command-line arguments without proper validation, allowing attackers to inject command-line switches (such as -s, -d, or -c) directly through URL parameters. This enables attackers to disclose source code, modify PHP configuration directives, or execute arbitrary code. For example, appending ?-s to any PHP script URL will display its source code:
http://example.com/index.php?-s
Remediation
Apply one of the following remediation strategies:
Primary Solution: Upgrade PHP to version 5.3.12, 5.4.2, or later, which addresses CVE-2012-1823 and CVE-2012-2311.
Temporary Mitigation: If immediate patching is not possible, configure your web server to block requests with query strings that begin with a dash (-) and do not contain an equals sign (=). This prevents command-line switch injection while preserving legitimate application functionality.
For Apache with mod_rewrite, add the following rules to your configuration:
RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
RewriteRule ^(.*) $1? [L]For nginx, use:
if ($query_string ~ "^(%2d|-)[^=]+$") {
return 403;
}Long-term Solution: Migrate from CGI mode to PHP-FPM or mod_php, which do not expose this vulnerability, and follow PHP security best practices including disabling unnecessary functions and running PHP with minimal privileges.