Bug 820708 (CVE-2012-2336)

Summary: CVE-2012-2336 php: incomplete CVE-2012-1823 fix - missing filtering of -T and -h
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: fedora, jorton, mjc, rcvalle, rpm
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-27 16:15:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 819855, 819856, 819857, 819858, 819859, 819860    
Bug Blocks: 820710, 835958, 835959, 835960    

Description Jan Lieskovsky 2012-05-10 18:06:31 UTC
Originally Common Vulnerabilities and Exposures assigned an identifier CVE-2012-1823 to the following vulnerability:

A flaw was found in the way the php-cgi executable processed command line arguments when running in CGI mode. A remote attacker could send a specially-crafted request to a PHP script that would result in the query string being parsed by php-cgi as command line options and arguments. This could lead to the disclosure of the script's source code or arbitrary code execution with the privileges of the PHP interpreter. (CVE-2012-1823)

This problem is in more detailed way described in a dedicated bug 818607.

Later it has been reported yet:

that the -T parameter can be used as a DoS vector. The CVE identifier of CVE-2012-2336 has been assigned for that issue:

Comment 1 Tomas Hoger 2012-05-11 08:58:59 UTC
Relevant upstream fix is the second hunk of this commit:


Because of the second php_getopt() call not being skipped, php-cgi could handle following injected command line options:

- T <count> - This makes PHP interpreter execute the script <count> times.  Attacker needs to keep the connection open and consume all generated output to keep this running.  Therefore, the advantage of this as a DoS vector compared to more simple DoS attacks is limited, can mostly be useful in cases when Keep-Alive is disabled and the number of connection per IP limited over some time period.

- -h / -? - These make PHP interpreter output usage info, which causes httpd to return an Internal Server Error to the client.  This may allow attacker to guess the site is running PHP in CGI mode and has CVE-2012-1823 partially fixed.

As -T option is only supported in PHP 5.2 and later, this problem has different impact on different Red Hat provided PHP packages:

- php packages in Red Hat Enterprise Linux 5 are only affected by -h issue and are therefore minimally impacted by this flaw.

- php53 packages in Red Hat Enterprise Linux 5, and php packages in Red Hat Enterprise Linux 6 and Red Hat Application Stack v2 also support -T option and affected by the DoS attack vector.

As with the original issue CVE-2012-1823, this only affects PHP CGI configurations and does not affect the most common (and default in Red Hat Enterprise Linux and Fedora) configuration using PHP module for Apache httpd.

This issue can also be mitigated using the same rewrite rules that were published as a mitigation for the CVE-2012-1823 issue - see bug #818607, comment #12 (or bug #818607, comment #27 if you're using an insecure wrapper script for php-cgi, but fixing such script is recommended, see bug #818607, comment #31).

Comment 6 errata-xmlrpc 2012-06-27 15:52:31 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:1047 https://rhn.redhat.com/errata/RHSA-2012-1047.html

Comment 7 errata-xmlrpc 2012-06-27 15:53:05 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1046 https://rhn.redhat.com/errata/RHSA-2012-1046.html

Comment 8 errata-xmlrpc 2012-06-27 15:54:14 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:1045 https://rhn.redhat.com/errata/RHSA-2012-1045.html