PHP could allow access to the CGI SAPI
| php-cgi-sapi-access (11343) |  Medium Risk |
Description:
PHP fails to properly restrict access to the CGI SAPI module. If a Web server has this module enabled, a remote attacker could access the CGI binary and use it to read any file readable by the owner of the Web server process, and possibly execute arbitrary PHP code on the Web server by injecting PHP code into a file readable by the CGI binary.
Consequences:
Gain Access
Remedy:
Upgrade to the latest version of PHP (4.3.1 or later), available from the PHP Web site. See References.
For OpenPKG containing the php package:
Upgrade to the latest php package, as listed below. Refer to OpenPKG Security Advisory OpenPKG-SA-2002.010 for more information. See References.
OpenPKG CURRENT: 4.3.1-20030218 or later
OpenPKG 1.2: 4.3.0-1.2.1 or later
For OpenPKG containing the apache package:
Upgrade to the latest apache package, as listed below. Refer to OpenPKG Security Advisory OpenPKG-SA-2002.010 for more information. See References.
OpenPKG CURRENT: 1.3.27-20030218 or later
OpenPKG 1.2: 1.3.27-1.2.1or later
For Gentoo Linux:
Upgrade to the latest version of mod_php php (mod_php-4.3.1 or later), as listed in Gentoo Linux Security Announcement 200302-09.1. See References.
For other distributions:
Contact your vendor for upgrade or patch information.
References:
- BugTraq Mailing List, Mon Feb 17 2003 - 12:01:14 CST : PHP Security Advisory: CGI vulnerability in PHP version 4.3.0 .
- Gentoo Linux Security Announcement 200302-09.1: mod_php -- arbitrary code execution. (From LinuxSecurity archive)
- PHP Security Advisory February 17, 2003: CGI vulnerability in PHP version 4.3.0 .
- PHP Web site: PHP: Downloads.
- BID-6875: PHP CGI SAPI Code Execution Vulnerability
- CVE-2003-0097: Unknown vulnerability in CGI module for PHP 4.3.0 allows attackers to access arbitrary files as the PHP user, and possibly execute PHP code, by bypassing the CGI force redirect settings (cgi.force_redirect or --enable-force-cgi-redirect).
- OpenPKG-SA-2003.010: PHP
Platforms Affected:
- Gentoo Linux
- OpenPKG OpenPKG 1.2
- OpenPKG OpenPKG CURRENT
- PHP PHP 4.3.0
Reported:
Feb 17, 2003
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net