Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 9 May 2012 14:59:40 -0400 (EDT)
Subject: Re: PHP-CGI query string parameter vulnerability (CVE-2012-1823 / CVE-2012-2311, CERT VU#520827)

Hash: SHA1

>The incomplete fix part seems to have got bit messy, at least with
>respect to CVE assignment.

The total number of CVE IDs should be 4. Comments below:

>1) Incorrect detection of = in query string, that made it possible to
>bypass the fix using %3D.  This was addressed by:
>-       if(*decoded_query_string == '-' && strchr(decoded_query_string, '=') == NULL) {
>+       if(*decoded_query_string == '-' && strchr(query_string, '=') == NULL) {
>which is noted as Mitigation option 3 in De Eindbazen's blog.
>Following the timeline / updates there, this should be what triggered
>CVE-2012-2311 assignment.

CVE-2012-2311 is for only this specific %3D fix listed as "1)" above.

>2) The fix from 1) did not address the problem for use cases where
>"unsafe" wrapper script, similar to the one pointed out in De
>Eindbazen's blog, is used.  It seems that was first mentioned in
>Christopher Kunz's ( blog mentioning that the PHP
>re-fix is still incomplete, though it's questionable if this is to be
>considered a PHP flaw.  Upstream warned about this insecure wrapper
>script problem:
>and even added a fix / work around for it to PHP:

This needs a separate CVE ID (different from both CVE-2012-1823 and
CVE-2012-2311). MITRE is considering the "insecure wrapper script" to
be a distributable product because the code has been available for
some time on a public web site, and the (admittedly tiny) script
codebase has apparently sometimes been copied and adapted for use at
multiple web-hosting providers.

The script codebase is, of course, open source.

In many cases, MITRE would not bother to assign a CVE ID for a
vulnerability in a "product" of this type (i.e., a product that is
arguably not even packaged for distribution and does not even have a
product name). However, in this case, the product and its
vulnerability have become commonly recognized and discussed because of
the connection to the other PHP-CGI issues. Therefore, a CVE name is

This can be temporarily called CVE-2012-NEW-1.

>3) The fix from 1) only made PHP skip one php_getopt() call out of two
>that are reachable in the CGI mode (the third php_getopt() call is in
>the if (!cgi && !fastcgi) block).  As the consequence, PHP was still
>parsing following arguments:
>- -h / -? - this seems harmless, as makes PHP output usage info, which
>  triggers Internal Server Error in httpd
>- -T - this was mentioned as DoS vector:
>The impact of this is rather limited as clients needs to consume all
>generated output too keep this running.  May offer some advantage of
>simple many requests DoS e.g. Keep-Alive is disabled and there's per-IP
>connection limit.
>This is upstream commit that was used in 5.4.2 / 5.3.12:
>and this is correction from 5.4.3 / 5.3.13:
>(both links are for PHP-5.3 branch commits).

This one also needs a separate CVE ID (different from both
CVE-2012-1823 and CVE-2012-2311). Compared to CVE-2012-2311, it
apparently has the same "affected versions" relative to official
upstream release numbers. However, the affected versions are different
in PHP packages from multiple Linux distributions. In this situation,
it seems best to have two separate CVE names (CVE-2012-2311 and a new
one) for the two different issues with php_getopt - in other words:

  CVE-2012-2311:   the vulnerability that exists when the php_getopt
                   for cases 'c' 'n' 'd' 'b' and 's' is not skipped
  CVE-2012-NEW-2:  the vulnerability that exists when the php_getopt
                   for cases 'T' and 'h' is not skipped

If this is agreeable, we would like Red Hat to make the specific CVE
assignments for the "CVE-2012-NEW-1" and "CVE-2012-NEW-2" labels
referenced above. If, for any reason, Red Hat doesn't want to make
these two CVE assignments, please let us know.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S S145
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.11 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.