Sitebuilder: PHP-CGI remote code execution vulnerability (CVE-2012-1823)

Refers to:

  • Plesk 10.4 for Windows
  • Plesk Sitebuilder 4.5 for Linux
  • Plesk 10.4 for Linux
  • Web Presence Builder
  • Plesk 11.5 for Windows
  • Plesk 11.5 for Linux
  • Plesk 12.0 for Linux

Created:

2016-11-16 13:11:06 UTC

Modified:

2016-12-21 20:08:24 UTC

0

Was this article helpful?


Have more questions?

Submit a request

Sitebuilder: PHP-CGI remote code execution vulnerability (CVE-2012-1823)

Information

On May 3, 2012, the PHP-CGI remote code execution vulnerability was disclosed to the general public. This is a Critical Vulnerability affecting all software that uses PHP-CGI.

You can find information on which versions of Parallels Plesk SiteBuilder (PPSB) and Web Presence Builder (WPB) are affected by the vulnerability below.

Not affected :

  • PPSB 2.x-4.x for Windows;
  • WPB shipped with Parallels Plesk Panel 10.x-11.x for Linux and Windows;
  • WPB 10.x-11.x for Linux Standalone.

Are affected :

  • Parallels Automation for WPB 10.x-11.x (see article #114080 for details and resolution instructions)
  • PPSB 2.x-4.x for Linux (see details and resolution below)

Symptoms

PHP-CGI installations are vulnerable to remote code execution. The vulnerability can only be exploited if the HTTP server follows a fairly obscure part of the CGI spec. In particular, this concerns the Apache webserver, and some others.

Cause

A critical flaw was discovered in PHP (CVE-2012-1823) which allows someone to get the PHP script source code and potentially trigger a remote code execution in some cases (there is no publicly available PoC):

http://www.php.net/archive/2012.php#id2012-05-03-1

The official patch given on this page still does not resolve the issue entirely.

How to verify if website is vulnerable

In a browser, add "?-d" to the website URL with some existing PHP script, such as in the following example:

http://<your_sb_hostname>/check.php?-d

You will get

500 Internal Server Error

and the following can be found in the /var/log/apache2/sitebuilder_error.log file:

[Tue Jun 05 15:25:00 2012] [error] [client 10.50.1.82] Error in argument 1, char 2: no argument for option d
[Tue Jun 05 15:25:00 2012] [error] [client 10.50.1.82] malformed header from script. Bad header= php5 <file> [args...]: php5

Resolution (does not work for FreeBSD)

To get this issue resolved, please follow the steps provided below:

  1. Download the cve-2012-1823-wa_sb.tgz archive.

    # wget http://kb.plesk.com/Attachments/kcs-12554/cve-2012-1823-wa_sb.tgz
  2. Extract the following from the archive:

    # tar xzvf cve-2012-1823-wa_sb.tgz
    # cd cve-2012-1823-wa_sb
  3. Launch the script:

    # sh setup.sh

You will get an output that reads " Wrapped: PHP5. "

Manual solution (for FreeBSD only)

  1. Download the cve-2012-1823-wa_sb.tgz archive:

    # fetch http://kb.plesk.com/Attachments/kcs-12554/cve-2012-1823-wa_sb.tgz
  2. Extract the following from the archive:

    # tar xzvf cve-2012-1823-wa_sb.tgz
    # cd cve-2012-1823-wa_sb
  3. Create a copy of the original PHP-CGI binary:

    # mv /usr/local/sitebuilder/cgi-bin/php /usr/local/sitebuilder/cgi-bin/php.orig
  4. Replace the PHP binary with the wrapper from the attachment:

    # cp php_wrapper.freebsd /usr/local/sitebuilder/cgi-bin/php
  5. Set correct permissions on the copied file:

    # chmod 755 /usr/local/sitebuilder/cgi-bin/php
    # chown root:wheel /usr/local/sitebuilder/cgi-bin/php

To verify that the fix is properly installed, launch the following:

# /usr/local/sitebuilder/cgi-bin/php -v

Important note for the FreeBSD solution : Do not apply this solution more than once. To find out if it has already been applied, check if the /usr/local/sitebuilder/cgi-bin/php.orig file exists in the system. If it does, do not delete it and do not repeat the above steps.

Have more questions? Submit a request
Please sign in to leave a comment.