: Is there a way to scan websites externally for the recent PHP CGI flaw? The recent PHP CGI flaw exposed (CVE-2012-1823) has me wondering if some of the legacy sites that I've inherited might

@Reiling115

There is a Metasploit module for this: packetstormsecurity.org/files/112477/php_cgi_arg_injection.rb.txt
As FastCGI is not vulnerable to this, then the simplest way to fix it in most cases is to switch from CGI to FastCGI (providing your app can run OK on FastCGI, and your server has enough RAM).

As far as i can make out, there's no simple way to tell remotely whether you're running FastCGI or CGI (see this discussion on StackOverflow), so the easiest way to do this would be to go your hosting control panel and check the settings there.

Vote Up Vote Down

@Michele947

If you're not sure, you may wish to add the mod_rewrite workaround into your root .htaccess file for each host, just in case. In fact, I'd recommend using an even more general rule:

Options +FollowSymLinks
RewriteEngine On
RewriteBase /

# Workaround for CVE-2012-1823: strip query strings with no = signs.
RewriteCond %{QUERY_STRING} ^[^=]+$
RewriteRule ^(.*) ?


This will strip off any query string that doesn't contain at least one = sign. As long as you have no oddball scripts that rely on such query strings (which, say, a normal for submission will never generate), it should not break anything. Note that using dummy query strings for cache busting is not affected, since this is an internal rewrite.

Vote Up Vote Down

@Shanna517

Asides from going through each site manually using the vulnerable query string
localhost/index.php?-s

You could write a script to query an array of URLs and just load the page and search for

<?php


Seems like a waste to me since if all the sites are on the same server you will only need to check one site, not all of them. Assuming they are on different servers, a script like that should be helpful.

Anyone else have a better idea?

Vote Up Vote Down