Good afternoon, there are vulnerabilities on the site, for example, with the help of such a request:

"POST /local-bin/php/?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -n

A file has been created and executed on the server. From the side of php - everything seems to be clear here - directives are redefined, and then load the file and execute it. It is not clear why the web server allowed overriding these directives through the usual http request to /local-bin/php/?... ?

How to prevent?

Thank.

  • The first time I see php execution is made accessible from the outside. What for? - andreymal
  • This is how the novice admin set up, perhaps unknowingly, if you know, tell me how to disable it on the server. Thank. - pavelchervov
  • In the meantime, they wrote in the answer. It is worth looking for other ways to start PHP, for example, the same mod_php - andreymal

2 answers 2

This is a hole in CGI, not PHP. However, a patch was released for PHP three years ago.

http://habrahabr.ru/post/143331/

To fix it, it’s best not to run PHP in CGI mode, as this is the most inefficient method of launching.
Or upgrade the version of PHP.

    We can not update php because half of the site is currently running on php 5.2, so we run php in CGI mode. With mod_php, you need to run several apache processes, and we have a weak server.

    As a result, the following solutions helped:

    http://php.net/manual/en/security.cgi-bin.force-redirect.php https://security.stackexchange.com/questions/46566/protect-against-post-cgi-bin-php-attacks