

PHP-CGI 0-day source code exposure vulnerability - cheald
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/

======
wvenable
The problem is that the php-cgi script/binary accepts the same command line
parameters as the regular php interpreter. This is clearly the wrong behavior
and it's even documented as not doing that:

<http://www.php.net/manual/en/security.cgi-bin.attacks.php>

"Accessing system files: <http://my.host/cgi-bin/php?/etc/passwd> The query
information in a URL after the question mark (?) is passed as command line
arguments to the interpreter by the CGI interface. Usually interpreters open
and execute the file specified as the first argument on the command line. When
invoked as a CGI binary, PHP refuses to interpret the command line arguments."

Although this was actually in the documentation, Rasmus forgot why it was in
there in the first place:

<http://thread.gmane.org/gmane.comp.php.devel/20745>

Here is a legacy feature of CGI that hardly anybody knows about, using a setup
of PHP that is already rare, targeting an issue already claimed to be solved!
The perfect storm.

