Forum Discussion
RE: Recent PHP-CGI query string parameter vulnerability
The recently found PHP-CGI
query string parameter vulnerability noted in:
https://bugs.php.net/bug.php?id=61910v
Was announced on May 2nd
and as of yet, does not have a solution - http://eindbazen.net/2012/05/php-cg...2012-1823/
A signature such as:
uricontent:"php?-";
nocase;
Would flag any instances of
using a ‘-‘ at the start of a PHP query string.
This signature can further be
refined to target only the instances where the ‘-‘ is used without a ‘=’ in the
query or only with relation to the specific switches (e.g. –s,-d and –c) as
well as account for spaces between ‘?’ and ‘–‘ e.g. php?+-c
Alternatively, you can create an
iRule that searches for the same string in a URL.
Thanks,
Tom.
kman_52500Nimbostratus
If you are using php and CGI on URLs that don't end in .php this will not work.
i.e.
ScriptAlias /path /path/to/file.php
would still be vulnerable to
/path?-s- kman_52500The following appears to do the trick:
valuecontent: "-"; depth: 1; 
jwham20also check out:
https://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1090522/Vulnerability-Patching-via-iRules-VU520827-for-PHP.aspx
Irule response.
-josh