www.TheCyberUnderground.com

---------------------------------

Vulnerability in /cgi-bin/php.cgi
Bug originally posted to Bugtraq
Extra reseaerch by Kurruppt2k

---------------------------------

php.cgi is a binary executable that can act as a sites php interpriter.  The syntax for it is
simply:

www.somesite.com/cgi-bin/php.cgi?path/to/script.php

There are two possible problems with php.cgi, depending on the version and configuration.

1) php.cgi will open whatever file its pointed to, reguardless of whether or not its a .php
file.  If it is php, it will execute it.  If its not, it will oftentimes just display it (in 
the instance of a plain text ascii file).  This has been fixed in later versions.

2) php.cgi does not always chroot, nor does it check input for a path that begins with '/'.
For example, a webadmin sets up a .php script called runme.php which is in 
/cgi-bin/phpstuff/runme.php.  The link to it if he wanted it interprited by php.cgi would be:

www.somesite.com/cgi-bin/php.cgi?phpstuff/runme.php

But if he's running a vulnerable version that (A) will open any file reguardless of type and 
(B) does not check input for paths that begin with '/', the following URL would display the
contents of /etc/passwd:

www.somesite.com/cgi-bin/php.cgi?/etc/passwd

The Fix: get the latest version of cgi.php.  To test your site, just try the URL above.  If you
find that you're vulnerable, contact your vendor.