Vulnerability ID 5319

PHP up to 5.3.12/5.4.2 sapi/cgi/cgi_main.c $_SERVER['QUERY_STRING'] privilege escalation

CVSSv3 Temp ScoreCurrent Exploit Price (≈)

A vulnerability classified as very critical has been found in PHP up to 5.3.12/5.4.2. This affects an unknown function of the file sapi/cgi/cgi_main.c. The manipulation of the argument $_SERVER['QUERY_STRING'] with the input value -s leads to a privilege escalation vulnerability. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the d case.

The bug was discovered 01/13/2012. The weakness was shared 05/03/2012 by De Eindbazen as confirmed blog post. The advisory is shared for download at The vendor cooperated in the coordination of the public release. This vulnerability is uniquely identified as CVE-2012-1823 since 03/21/2012. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Technical details and a public exploit are known. The pricing for an exploit might be around USD $0-$1k at the moment. Due to its background and reception, this vulnerability has a historic impact.

A public exploit has been developed by metasploit (rayh4c) in C and been published 1 days after the advisory. It is declared as proof-of-concept. The exploit is shared for download at The vulnerability was handled as a non-public zero-day exploit for at least 111 days. During that time the estimated underground price was around $50k-$100k. The vulnerability scanner Nessus provides a plugin with the ID 74630 (openSUSE Security Update : php5 (openSUSE-2012-288)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family SuSE Local Security Checks and running in the context local.

Upgrading to version 5.4.2 or 5.3.12 [first official Patch not working!] eliminates this vulnerability. Applying the patch CVE-2012-1823-mitigation.tar.gz (inofficial Patch) is able to eliminate this problem. The bugfix is ready for download at It is possible to mitigate the weakness by firewalling tcp/80 (Web Services). The problem might be mitigated by replacing the product with FastCGI & ASP as an alternative. The best possible mitigation is suggested to be upgrading to the latest version. A possible mitigation has been published immediately after the disclosure of the vulnerability. Attack attempts may be identified with Snort ID 22063.

The vulnerability is also documented in the databases at Secunia (SA49014) and SecurityTracker (ID 1027022). Further details are available at See 60729, 60732 and 9012 for similar entries.




Base Score: 7.3 [?]
Temp Score: 6.6 [?]
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C [?]
Reliability: High


Base Score: 7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P) [?]
Temp Score: 5.9 (CVSS2#E:POC/RL:OF/RC:C) [?]
Reliability: High




Class: Privilege escalation (CWE-20)
Local: No
Remote: Yes

Availability: Yes
Access: Public
Status: Proof-of-Concept
Reliability: 90%
Programming Language: C
Author: metasploit (rayh4c)

Current Price Estimation: $50k-$100k (0-day) / $0-$1k (Today)


Nessus ID: 74630
Nessus Name: openSUSE Security Update : php5 (openSUSE-2012-288)
Nessus File: ala_ALAS-2012-77.nasl
Nessus Family: SuSE Local Security Checks
Nessus Context: local
Nessus Port: 0
OpenVAS ID: 71344
OpenVAS Name: Debian Security Advisory DSA 2465-1 (php5)
OpenVAS File: deb_2465_1.nasl
OpenVAS Family: Debian Local Security Checks

Saint ID: exploit_info/php_cgi_arg_rce
Saint Name: PHP CGI Query String Parameters Command Execution
MetaSploit ID: php_cgi_arg_injection.rb
MetaSploit File: metasploit-framework/modules/exploits/multi/http/php_cgi_arg_injection.rb
MetaSploit Name: PHP CGI Argument Injection

Exploit-DB: 18834


Recommended: Upgrade
Status: Official fix
Reaction Time: 107 days since reported
0-Day Time: 111 days since found
Exposure Time: 0 days since known
Exploit Delay Time: 1 days since known

Upgrade: PHP 5.4.2/5.3.12 [first official Patch not working!]
Patch: CVE-2012-1823-mitigation.tar.gz (inofficial Patch)
Firewalling: tcp/80 (Web Services)
Alternative: FastCGI & ASP

Snort ID: 22063
Snort Class: attempted-admin
Snort Message: SERVER-WEBAPP PHP-CGI remote file include attempt

Suricata ID: 2014704
Suricata Class: web-application
Suricata Message: ET WEB_SPECIFIC_APPS PHP-CGI query string parameter vulnerability


01/13/2012 Vulnerability found
01/17/2012 +4 days Vendor informed
03/21/2012 +64 days CVE assigned
05/03/2012 +43 days Advisory disclosed
05/03/2012 +0 days Countermeasure disclosed
05/04/2012 +1 days Exploit disclosed
05/04/2012 +0 days VulDB entry created
05/04/2012 +0 days Secunia entry created
05/04/2012 +0 days SecurityTracker entry created
05/11/2012 +7 days NVD disclosed
06/13/2014 +763 days Nessus plugin released
10/02/2016 +842 days VulDB last update


Researcher: De Eindbazen
Status: Confirmed
Coordinated: Yes

CVE: CVE-2012-1823 ( ( (

Secunia: 49014 - PHP QUERY_STRING Parameters and Buffer Overflow Vulnerabilities, Highly Critical
SecurityTracker: 1027022 - PHP Command Parameter Bug Lets Remote Users Obtain Potentially Sensitive Information and Execute Arbitrary Code
OSVDB: 81633

See also: 60729, 60732, 9012


Created: 05/04/2012
Updated: 10/02/2016
Entry: 100% complete