PHP-CGI Exploit is in the wild. Get protected ASAP.

The vulnerability that sat undetected for 7 years was disclosed last week, but today it has been announced that exploits have been seen in the wild.  They are working on releasing a new patch. This is pretty bad as it’s not exploiting one particular web application, rather, it is exploiting web servers running PHP in general.

The quick fix is to add this to the .htaccess file on your website(s):

RewriteEngine on
RewriteCond %{QUERY_STRING} ^[^=]*$
RewriteCond %{QUERY_STRING} %2d|- [NC]
RewriteRule .? – [F,L]

Unless you have compiled PHP from source on your web server, you will need to wait for your vendor (Cpanel, WHM, RedHat, CentOS, etc) to release the updated version. I suggest you implement the above .htaccess fix in the meantime.


Edit 5/9/12 12:19PM Eastern:

Most cPanel configurations are protected by default:

About Will Chatham

Will Chatham is the Security Assessment Engineer for Arbor Networks. Since Netscape 2.0, he has worked in a wide array of environments including non-profit, corporate, small business, and government. He started as a web developer, moved into Linux system administration, and ultimately found his place as a security professional. Having most recently conquered the OSCP certification, Will continues to hack his way into various things in an effort to make them more secure.
Bookmark the permalink.

Leave a Reply