On May 3rd 2012 PHP-CGI remote code execution vulnerability was disclosed to general public. This is a Critical Vulnerability that affects all software that contains PHP-CGI.
CauseThe critical major flaw was discovered in PHP (CVE-2012-1823), which allows to get php script source code and potentially trigger remote code execution in some cases (no publicly available PoC):
Official patch given on this page still doesn't close the issue at full.
ResolutionThere are two solutions in this case:
- switch PHP mode from PHP CGI to PHP FastCGI or mod_php
- apply a mod_rewrite rule described in a comment to https://bugs.php.net/bug.php?id=61910
1. Verify that vulnerability exists. Find a site which uses php in CGI mode, copy the file /hsphere/shared/apache/htdocs/hsphpinfo.php to site root directory, and open the URL "http://<site name>/hsphpinfo.php?-s" in browser. If you see PHP source code instead of HTML document, the server is vulnerable.
2. Find which vhost config template is used. Either there is a custom one located in the directory
or if there is no vhost.config there, a standard one located in the directory
We recommend applying the changes to custom one to preserve the changes during the upgrades, however it should be created if it does not exist:
cp ~cpanel/shiva/shiva-templates/common/domain/vhost.config ~cpanel/shiva/custom/templates/common/domain/vhost.config
Note: path to custom templates may be different on your installation, to find out execute grep USER_TEMPLATE_PATH ~cpanel/shiva/psoft_config/hsphere.properties, default location:
[root@cp ~]# grep USER_TEMPLATE_PATH ~cpanel/shiva/psoft_config/hsphere.properties
3. Patch the hsphere template files (custom template in this example) using attached vhost.config.patch:
su -l cpanel
patch -p0 -d /hsphere/local/home/cpanel/hsphere/WEB-INF/classes/custom/templates/common/domain < vhost.config.patch
Note: if your custom vhost template significantly differs from the standard one, apply the changes from vhost.config.patch by hand.
4. Update Apache virtualhost configuration files
su - cpanel -c "java -Xms64M -Xmx512M psoft.hsphere.tools.PostApacheConfigs -ic"
Note: if your customers have deleted index.html files manually from website's root you can use
su - cpanel -c "java -Xms64M -Xmx512M psoft.hsphere.tools.PostApacheConfigs -lid 0"
to skip default content reinitialization, only virtual host configuration will change. Please note that we strongly recommend using Directory Indexes to avoid complications in future (see this article for details)
5. Restart apache services.
- Go to CP page E.Manager / Servers / P.Servers
- For each pserver, click [System Information] icon / System Service Management
- Select 'httpd' checkbox, select 'Restart' radio button, press [Apply]
ip_list=`mktemp` ; for ip_serv in ` /hsphere/shared/bin/hsinfo -i -g unix_hosting ` ; do ( echo $ip_serv ; /hsphere/shared/bin/hsinfo -S -p $ip_serv ) ; done > $ip_list ; for ip in `cat $ip_list` ; do ( su - cpanel -c "ssh -a -x root@$ip /hsphere/shared/bin/manage-service httpd restart " ) ; done ; rm -f $ip_list
6. To verify that the vulnerability has been fixed, repeat the step #1. PHP source code should not be displayed.
Note: please refer to this article if some of the sites show default page after applying this KB