Critical vulnerability was found and fixed in PHP CGI-based setups. According to the vendor’s website, the flaw existed and stayed unnoticed for the last 8 years.
“Some systems support a method for supplying a [sic] array of strings to the CGI script. This is only used in the case of an `indexed' query. This is identified by a "GET" or "HEAD" HTTP request with a URL search string not containing any unencoded "=" characters” – developer’s advisory says.
A remote hacker can leverage the vulnerability in order to obtain source code of the implementation, and even execute arbitrary code with the privileges of the web server.
The vulnerability was discovered in January, 2012, while studying Nullcon CTF. In a couple of days PHP development team and CERT organization were informed about it.
In order to fix the vulnerability system administrators need to upgrade their PHP installation to version 5.3.12 or 5.4.2. For those who do not want to upgrade the system devs suggest using a mod_rewrite rule that should look like this:
RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
RewriteRule ^(.*) $1? [L]
Vulnerability discreption is accessible here:
http://www.naked-security.com/nsa/209282.htm
