PHP-CGI “severe” vulnerability CVE-2012-1823

On May 3rd, a PHP-CGI vulnerability termed as “severe” by CloudLinux was published in US CERT web site.

The vulnerability causes any server running PHP as CGI to allow source code disclosure and arbitrary command execution using the account’s privileges. The quote from US CERT web site is below:

When PHP is used in a CGI-based setup (such as Apache’s mod_cgid), the php-cgi receives a processed query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to disclose source code and obtain arbitrary code execution.

While the primary vulnerability was reported for PHP-CGI executions, the CloudLinux note cautioned that this could be applicable to suPHP and mod_fcgid as well. But a post in suPHP mailing list says it is not affected by this vulnerability.

Response from Parallels

Parallels reacted with a 3 point resolution to this issue, as described in their KB entry on CVE-2012-1823.Important points are quoted below: