PROBLEM:
PHP Command Parameter Bug Lets Remote Users Obtain Potentially Sensitive Information and Execute Arbitrary Code
PLATFORM:
Prior to 5.3.12 and 5.4.2
ABSTRACT:
A vulnerability was reported in PHP. A remote user can obtain potentially sensitive information. A remote user can execute arbitrary code on the target system.
reference LINKS:
SecurityTracker Alert ID: 1027022
CVE-2012-1823
CVE-2012-2311
IMPACT ASSESSMENT:
High
Discussion:
A remote user can submit a specially crafted request containing a command line switch to cause the php-cgi binary to execute the parameter.
Systems where PHP is used in a CGI-based setup (e.g., Apache mod_cgi) may be affected.
Systems using Apache mod_php or nginx with php-fpm are not affected.
Impact:
A remote user can obtain potentially sensitive information. A remote user can execute arbitrary code on the target system.
Solution:
The vendor has issued a fix (5.3.12, 5.4.2).