Forum Discussion

Tom_Spector_50's avatar
Historic F5 Account
May 08, 2012

RE: Recent PHP-CGI query string parameter vulnerability

The recently found PHP-CGI query string parameter vulnerability noted in:


Was announced on May 2nd and as of yet, does not have a solution -


If you have the F5 Application Security Manager or indeed any F5 product you have the tools to defend yourself without relying on any outside sources by utilizing ASM’s custom attack signatures or TMOS’s iRules.

A signature such as:


uricontent:"php?-"; nocase;


Would flag any instances of using a ‘-‘ at the start of a PHP query string.


This signature can further be refined to target only the instances where the ‘-‘ is used without a ‘=’ in the query or only with relation to the specific switches (e.g. –s,-d and –c) as well as account for spaces between ‘?’ and ‘–‘ e.g. php?+-c


Alternatively, you can create an iRule that searches for the same string in a URL.


Threats come at you fast – have the tools to defend yourself.






3 Replies

  • If you are using php and CGI on URLs that don't end in .php this will not work.





    ScriptAlias /path /path/to/file.php



    would still be vulnerable to



  • The following appears to do the trick:



    valuecontent: "-"; depth: 1;
  • also check out:






    Irule response.