Mitigation for CVE-2012-1823 / CVE-2012-2311?

Yet Another PHP Security Blog

Archives

Tagged Articles











Links

PHP-Sicherheit
Christopher Kunz ()
VServer Hosting

Friday, May 4. 2012

Mitigation for CVE-2012-1823 / CVE-2012-2311?

So PHP 5.4.2 and 5.3.12 do not fix the security issue reported in CVE-2012-1823 and discussed here earlier. The original advisory has a number of mitigation opportunities and an additional patch, and PHP.net has a RewriteRule online as a hotfix.


Update As mentioned on Eindbazen: The current fixes have a problem with whitespace BEFORE the actual Query String, i.e. “/?+-s”. This only applies in the wrapper environment outlined by eindbazen.net where command-line arguments are passed without double quotes to PHP, as in /usr/bin/php5 $@.



I want to discuss now shortly if any of these properly mitigate the issue.


  1. PHP 5.4.2 does not mitigate the issue.
  2. RewriteRule on php.net: The RewriteRule posted on PHP.net is useless. I can’t go into much detail here but it does not mitigate the issue properly.
  3. RewriteRule on bugs.php.net: The comments in the original advisory show a RewriteRule that was posted on bugs.php.net originally. I tried this against an unpatched PHP 5.3.3-7+Squeeze8 and it seems to correctly filter all malicious query strings, including my variations. It has a tiny bit of overshoot though (for example, passing negative integers to the query string will trigger a 403), but it’s not practically relevant, I think.
  4. Binary Wrapper and Option-stripping patch on eindbazen.net: The guys who wrote the original advisory wrote a patch and a php-cgi wrapper that strips all “-xyz” options respectively skips option processing when in CGI mode. This works well, too.
  5. Patch “third option” on eindbazen.net: This patch does not properly mitigate the issue.


So, right now you will probably want to use the following RewriteRule:



RewriteEngine on

RewriteCond %{QUERY_STRING} ^[^=]*$

RewriteCond %{QUERY_STRING} %2d|\- [NC]

RewriteRule .? - [F,L]

This is the easiest way to hot-fix the issue until a working PHP version is released.


In the meantime, CVE-2012-2311 has been issued to address the fact that PHP 5.4.2 and 5.3.12 (which I never tested, btw, but the patch is identical) do not properly fix the problem.


Read the original advisory here and my earlier article here.
Posted by
Comments (6) Trackbacks (7)
Defined tags for this entry: , , , , , , , , ,
Related entries by tags:

Trackbacks
Trackback specific URI for this entry

PingBack
Weblog: edv-buchmarkt.de
Tracked: May 04, 19:55
PingBack
Weblog: edv-sicherheitskonzepte.de
Tracked: May 04, 22:51
PingBack
Weblog: www.root-files.de
Tracked: May 05, 11:01
PingBack
Weblog: www.itsecuresite.com
Tracked: May 06, 18:15
PingBack
Weblog: www.anchor.com.au
Tracked: May 07, 05:19
PingBack
Weblog: niebezpiecznik.pl
Tracked: May 07, 07:58
Neue PHP-Lücke bedroht CGI-Installationen
Eine neue Lücke, die letzte Woche zufällig (lies: unabsichtlich) veröffentlicht wurde, hält derzeit die PHP-Entwickler in Atem. Der Fehler, der seit mindestens 2004 existiert, ist auf eine fehlerhafte Implementierung der CGI-Spezifikation zurückzuführen.
Weblog: PHP-Sicherheit
Tracked: May 08, 10:10

Comments
Display comments as (Linear | Threaded)

#1 - Jani O 2012-05-04 18:14 - (Reply)

I think this problem is in Apache CGI implementation. Query string is supposed to be given to CGI program in environment variable QUERY_STRING not in command line arguments.

So this problem is more wide spread and to me if you run python in CGI with Apache be scared of -c parameters.

https://issues.apache.org/bugzilla/show_bug.cgi?id=13914

#1.1 - Mikko Rantalainen 2012-05-07 08:21 - (Reply)

The problem is not Apache but RFC 3875 which says:

"The script SHOULD check to see if the
QUERY_STRING value contains an
unencoded “=” character, and SHOULD NOT
use the command line arguments if it does."
(http://tools.ietf.org/html/rfc3875#section-4.4)

Reworded, if QUERY_STRING does not contain unencoded “=” character, the command line arguments should be used.

I have no idea why this part has ever been accepted to said RFC.

Apache just tries to strictly follow the RFC.

#1.1.1 - Chris 2012-05-07 08:27 - (Reply)

Hi,

I don’t think you can read it like this. Granted, there is surely place for discussion in this sentence (which is why it should never have made it into the final RFC, I agree with you there), but negating a “SHOULD”/“SHOULD NOT” does not make the opposite come true.

“If you are on the highway, you SHOULD NOT drive slower than 40km/h” does not mean that you should drive slower than 40 on any non-highway street.

So I think that the sentence, with regard to =-free query strings, means, that the CGI is free to use or ignore the command line parameters if the query string does not include an “=” sign.

#1.1.1.1 - Mikko Rantalainen 2012-05-07 09:50 - (Reply)

You are right, of course. The inverse of “SHOULD NOT” is “MAY”. However, I have no idea when the “MAY” would make any sense instead of “SHOULD”.

#1.1.1.1.1 - Chris 2012-05-07 10:04 - (Reply)

Generally, I don’t see why user-supplied input should be passed to the command line of a CGI binary in any case.

However, this specific part of the RFC is probably a lot older than RFC3875 itself, so I guess this is a remnant of olden times.

#2 - hoohead 2012-05-04 23:01 - (Reply)

thx :-)


Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
Submitted comments will be subject to moderation before being displayed.
 

Frontpage - Top level