Vulnerability Data

by Reconmap

CVE-2012-2311

sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that contain a %3D sequence but no = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823.

Published at
2012-05-11T10:15Z
4371 days ago
Modified
2023-02-13T00:24Z
441 days ago
CWE-89
Problem type

References


URLType
bugs.php.net
https://bugs.php.net/bug.php?id=61910		CONFIRM
VU#520827
http://www.kb.cert.org/vuls/id/520827		CERT-VN
www.php.net
http://www.php.net/ChangeLog-5.php#5.4.3		CONFIRM
bugs.php.net
https://bugs.php.net/patch-display.php?bug_id=61910&patch=cgi.diff-fix-check.patch&revision=1336093719&display=1		CONFIRM
eindbazen.net
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/		MISC
www.php.net
http://www.php.net/archive/2012.php#id2012-05-08-1		CONFIRM
49014
http://secunia.com/advisories/49014		SECUNIA
SSRT100856
http://marc.info/?l=bugtraq&m=134012830914727&w=2		HP
APPLE-SA-2012-09-19-2
http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html		APPLE
support.apple.com
http://support.apple.com/kb/HT5501		CONFIRM
1027022
http://www.securitytracker.com/id?1027022		SECTRACK
49085
http://secunia.com/advisories/49085		SECUNIA
SSRT100992
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03839862		HP
openSUSE-SU-2012:0590
http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00002.html		SUSE
DSA-2465
http://www.debian.org/security/2012/dsa-2465		DEBIAN
SUSE-SU-2012:0604
http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00011.html		SUSE
SUSE-SU-2012:0598
http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00007.html		SUSE

GET https://vulnerabilitydata.com/api/details/CVE-2012-2311

{
	"id": "CVE-2012-2311",
	"published_date": "2012-05-11T10:15Z",
	"last_modified_date": "2023-02-13T00:24Z",
	"assigner": "secalert@redhat.com",
	"description": "sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that contain a %3D sequence but no = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823.",
	"references": [
		{
			"url": "https://bugs.php.net/bug.php?id=61910",
			"name": "https://bugs.php.net/bug.php?id=61910",
			"refsource": "CONFIRM",
			"tags": [
				"Vendor Advisory"
			]
		},
		{
			"url": "http://www.kb.cert.org/vuls/id/520827",
			"name": "VU#520827",
			"refsource": "CERT-VN",
			"tags": [
				"US Government Resource"
			]
		},
		{
			"url": "http://www.php.net/ChangeLog-5.php#5.4.3",
			"name": "http://www.php.net/ChangeLog-5.php#5.4.3",
			"refsource": "CONFIRM",
			"tags": []
		},
		{
			"url": "https://bugs.php.net/patch-display.php?bug_id=61910&patch=cgi.diff-fix-check.patch&revision=1336093719&display=1",
			"name": "https://bugs.php.net/patch-display.php?bug_id=61910&patch=cgi.diff-fix-check.patch&revision=1336093719&display=1",
			"refsource": "CONFIRM",
			"tags": []
		},
		{
			"url": "http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/",
			"name": "http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/",
			"refsource": "MISC",
			"tags": []
		},
		{
			"url": "http://www.php.net/archive/2012.php#id2012-05-08-1",
			"name": "http://www.php.net/archive/2012.php#id2012-05-08-1",
			"refsource": "CONFIRM",
			"tags": []
		},
		{
			"url": "http://secunia.com/advisories/49014",
			"name": "49014",
			"refsource": "SECUNIA",
			"tags": []
		},
		{
			"url": "http://marc.info/?l=bugtraq&m=134012830914727&w=2",
			"name": "SSRT100856",
			"refsource": "HP",
			"tags": []
		},
		{
			"url": "http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html",
			"name": "APPLE-SA-2012-09-19-2",
			"refsource": "APPLE",
			"tags": []
		},
		{
			"url": "http://support.apple.com/kb/HT5501",
			"name": "http://support.apple.com/kb/HT5501",
			"refsource": "CONFIRM",
			"tags": []
		},
		{
			"url": "http://www.securitytracker.com/id?1027022",
			"name": "1027022",
			"refsource": "SECTRACK",
			"tags": []
		},
		{
			"url": "http://secunia.com/advisories/49085",
			"name": "49085",
			"refsource": "SECUNIA",
			"tags": []
		},
		{
			"url": "https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03839862",
			"name": "SSRT100992",
			"refsource": "HP",
			"tags": []
		},
		{
			"url": "http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00002.html",
			"name": "openSUSE-SU-2012:0590",
			"refsource": "SUSE",
			"tags": []
		},
		{
			"url": "http://www.debian.org/security/2012/dsa-2465",
			"name": "DSA-2465",
			"refsource": "DEBIAN",
			"tags": []
		},
		{
			"url": "http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00011.html",
			"name": "SUSE-SU-2012:0604",
			"refsource": "SUSE",
			"tags": []
		},
		{
			"url": "http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00007.html",
			"name": "SUSE-SU-2012:0598",
			"refsource": "SUSE",
			"tags": []
		}
	],
	"impact": {
		"baseMetricV2": {
			"cvssV2": {
				"version": "2.0",
				"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
				"accessVector": "NETWORK",
				"accessComplexity": "LOW",
				"authentication": "NONE",
				"confidentialityImpact": "PARTIAL",
				"integrityImpact": "PARTIAL",
				"availabilityImpact": "PARTIAL",
				"baseScore": 7.5
			},
			"severity": "HIGH",
			"exploitabilityScore": 10,
			"impactScore": 6.4,
			"obtainAllPrivilege": false,
			"obtainUserPrivilege": false,
			"obtainOtherPrivilege": false,
			"userInteractionRequired": false
		}
	},
	"problem_type": "CWE-89"
}