This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 820708 - (CVE-2012-2336) CVE-2012-2336 php: incomplete CVE-2012-1823 fix - missing filtering of -T and -h
CVE-2012-2336 php: incomplete CVE-2012-1823 fix - missing filtering of -T and -h
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20120503,repor...
: Security
Depends On: 819855 819856 819857 819858 819859 819860
Blocks: 820710 835958 835959 835960
  Show dependency treegraph
 
Reported: 2012-05-10 14:06 EDT by Jan Lieskovsky
Modified: 2015-11-24 09:57 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-27 12:15:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2012-05-10 14:06:31 EDT
Originally Common Vulnerabilities and Exposures assigned an identifier CVE-2012-1823 to the following vulnerability:

A flaw was found in the way the php-cgi executable processed command line arguments when running in CGI mode. A remote attacker could send a specially-crafted request to a PHP script that would result in the query string being parsed by php-cgi as command line options and arguments. This could lead to the disclosure of the script's source code or arbitrary code execution with the privileges of the PHP interpreter. (CVE-2012-1823)

This problem is in more detailed way described in a dedicated bug 818607.

Later it has been reported yet:
https://bugs.php.net/bug.php?id=61910#1336220802
http://www.openwall.com/lists/oss-security/2012/05/09/4
http://www.php-security.net/archives/9-New-PHP-CGI-exploit-CVE-2012-1823.html

that the -T parameter can be used as a DoS vector. The CVE identifier of CVE-2012-2336 has been assigned for that issue:
http://www.openwall.com/lists/oss-security/2012/05/09/6
http://www.openwall.com/lists/oss-security/2012/05/09/9
Comment 1 Tomas Hoger 2012-05-11 04:58:59 EDT
Relevant upstream fix is the second hunk of this commit:

http://git.php.net/?p=php-src.git;a=commitdiff;h=000e84aa88ce16deabbf61e7086fc8db63ca88aa

Because of the second php_getopt() call not being skipped, php-cgi could handle following injected command line options:

- T <count> - This makes PHP interpreter execute the script <count> times.  Attacker needs to keep the connection open and consume all generated output to keep this running.  Therefore, the advantage of this as a DoS vector compared to more simple DoS attacks is limited, can mostly be useful in cases when Keep-Alive is disabled and the number of connection per IP limited over some time period.

- -h / -? - These make PHP interpreter output usage info, which causes httpd to return an Internal Server Error to the client.  This may allow attacker to guess the site is running PHP in CGI mode and has CVE-2012-1823 partially fixed.

As -T option is only supported in PHP 5.2 and later, this problem has different impact on different Red Hat provided PHP packages:

- php packages in Red Hat Enterprise Linux 5 are only affected by -h issue and are therefore minimally impacted by this flaw.

- php53 packages in Red Hat Enterprise Linux 5, and php packages in Red Hat Enterprise Linux 6 and Red Hat Application Stack v2 also support -T option and affected by the DoS attack vector.


As with the original issue CVE-2012-1823, this only affects PHP CGI configurations and does not affect the most common (and default in Red Hat Enterprise Linux and Fedora) configuration using PHP module for Apache httpd.

This issue can also be mitigated using the same rewrite rules that were published as a mitigation for the CVE-2012-1823 issue - see bug #818607, comment #12 (or bug #818607, comment #27 if you're using an insecure wrapper script for php-cgi, but fixing such script is recommended, see bug #818607, comment #31).
Comment 6 errata-xmlrpc 2012-06-27 11:52:31 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:1047 https://rhn.redhat.com/errata/RHSA-2012-1047.html
Comment 7 errata-xmlrpc 2012-06-27 11:53:05 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1046 https://rhn.redhat.com/errata/RHSA-2012-1046.html
Comment 8 errata-xmlrpc 2012-06-27 11:54:14 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:1045 https://rhn.redhat.com/errata/RHSA-2012-1045.html

Note You need to log in before you can comment on or make changes to this bug.