PHP-CGI Exploit is in the wild. Get protected ASAP.

The vulnerability that sat undetected for 7 years was disclosed last week, but today it has been announced that exploits have been seen in the wild.  They are working on releasing a new patch. This is pretty bad as it’s not exploiting one particular web application, rather, it is exploiting web servers running PHP in general.

The quick fix is to add this to the .htaccess file on your website(s):

RewriteEngine on
RewriteCond %{QUERY_STRING} ^[^=]*$
RewriteCond %{QUERY_STRING} %2d|- [NC]
RewriteRule .? – [F,L]

Unless you have compiled PHP from source on your web server, you will need to wait for your vendor (Cpanel, WHM, RedHat, CentOS, etc) to release the updated version. I suggest you implement the above .htaccess fix in the meantime.


Edit 5/9/12 12:19PM Eastern:

Most cPanel configurations are protected by default:

About Will Chatham

Will Chatham is the Application Security Engineer at a cyber security research and development firm. Since Netscape 2.0, he has worked in a wide array of environments including non-profit, corporate, small business, and government. His varied background, from web developer to search engine optimizer to security professional, has helped him build a wide range of skills that help those with whom he works and teaches.
Bookmark the permalink.

Leave a Reply