PHP-CGI remote code execution


PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. When PHP is used in a CGI-based setup (such as Apache's mod_cgid), in some configurations it's possible to execute arbitrary code with the privileges of the web server. On Debian and Ubuntu the vulnerability is present in the default install of the php5-cgi package. When the php5-cgi package is installed on Debian and Ubuntu or php-cgi is installed manually the php-cgi binary is accessible under /cgi-bin/php5 and /cgi-bin/php. The vulnerability makes it possible to execute the binary because this binary has a security check enabled when installed with Apache http server and this security check is circumvented by the exploit.

Affected versions:

  • PHP prior to 5.3.12
  • PHP prior to 5.4.2

Unaffected versions:
  • PHP 4 - getopt parser unexploitable
  • PHP 5.3.12 and up
  • PHP 5.4.2 and up


Upgrade to the latest versions of PHP (unaffected versions are PHP 5.3.12 and newer, PHP 5.4.2 and newer).