Weblog

Today, information about a vulnerability in PHP was leaked to the internet. The vulnerability allows an attacker to add parameters of the php-cgi binary to be added to an URL. When adding, for example, ?-s to a PHP script in the URL, the source of that script is displayed instead of the output of the PHP script. This only works when using PHP as CGI. When using FastCGI or Apache's mod_php, you are not vulnerable.

The information about this vulnerability was made public on the PHP website by mistake. The information was quickly taken offline after the leakage was discovered. However, it's still available via this link.

I took a closer look at the bug report and found that it's not PHP that is vulnerable, but PHP in combination with the webserver (Apache?) used by the bug reporter. When using Hiawatha, you are not vulnerable. Hiawatha does not (of course!!!) add URL parameters to the command line when executing PHP in CGI mode.

The vulnerability was discovered by Eindbazen.