Article ID: 113821, created on May 4, 2012, last review on Aug 12, 2014

  • Applies to:
  • H-Sphere


On May 3rd 2012 PHP-CGI remote code execution vulnerability was disclosed to general public. This is a Critical Vulnerability that affects all software that contains PHP-CGI.


The critical major flaw was discovered in PHP (CVE-2012-1823), which allows to get php script source code and potentially trigger remote code execution in some cases (no publicly available PoC):

Official patch given on this page still doesn't close the issue at full.


There are two solutions in this case: How to apply mod_rewrite fix on an hsphere cluster:

1.      Verify that vulnerability exists. Find a site which uses php in CGI mode, copy the file /hsphere/shared/apache/htdocs/hsphpinfo.php to site root directory, and open the URL "http://<site name>/hsphpinfo.php?-s" in browser. If you see PHP source code instead of HTML document, the server is vulnerable.
2.      Find which vhost config template is used. Either there is a custom one located in the directory
          or if there is no vhost.config there, a standard one located in the directory

We recommend applying the changes to custom one to preserve the changes during the upgrades, however it should be created if it does not exist:

cp ~cpanel/shiva/shiva-templates/common/domain/vhost.config ~cpanel/shiva/custom/templates/common/domain/vhost.config
Note: path to custom templates may be different on your installation, to find out execute grep USER_TEMPLATE_PATH ~cpanel/shiva/psoft_config/, default location:

[root@cp ~]# grep USER_TEMPLATE_PATH ~cpanel/shiva/psoft_config/

3.      Patch the hsphere template files (custom template in this example) using attached vhost.config.patch:

su -l cpanel
patch -p0 -d /hsphere/local/home/cpanel/hsphere/WEB-INF/classes/custom/templates/common/domain  < vhost.config.patch

Note: if your custom vhost template significantly differs from the standard one, apply the changes from vhost.config.patch by hand.
4.      Update Apache virtualhost configuration files
su - cpanel -c "java -Xms64M -Xmx512M -ic"
Note: if your customers have deleted index.html files manually from website's root you can use

su - cpanel -c "java -Xms64M -Xmx512M -lid 0"
to skip default content reinitialization, only virtual host configuration will change. Please note that we strongly recommend using Directory Indexes to avoid complications in future (see this article for details)
5.      Restart apache services.
  • Go to CP page E.Manager / Servers / P.Servers
  • For each pserver, click [System Information] icon / System Service Management
  • Select 'httpd' checkbox, select 'Restart' radio button, press [Apply]
Alternatively it is possible to do it using the following command:
ip_list=`mktemp` ; for ip_serv in ` /hsphere/shared/bin/hsinfo -i -g unix_hosting ` ; do ( echo $ip_serv ; /hsphere/shared/bin/hsinfo -S -p $ip_serv ) ; done > $ip_list ; for ip in `cat $ip_list` ; do ( su - cpanel -c "ssh -a -x root@$ip /hsphere/shared/bin/manage-service httpd restart " ) ; done ; rm -f $ip_list 
6.      To verify that the vulnerability has been fixed, repeat the step #1. PHP source code should not be displayed.
Additional reference

Note: please refer to this article if some of the sites show default page after applying this KB


f213b9fa8759d57bee5d547445806fe7 6311ae17c1ee52b36e68aaf4ad066387

Email subscription for changes to this article
Save as PDF