PHP-CGI vulnerability and our Prestashop store

All sites using PHP in CGI mode are affected and your shop can be hacked. All PrestaShop stores are not affected. If you don’t know how PHP is running on your shop, you should still apply this patch for security reasons. When PHP is used in a CGI wrapper, remote attackers may use this solution for command-line switches, such as -s, -d or -c, in a query string that will be passed to the PHP-CGI binary, leading to arbitrary code execution or source code disclosure. For example, for any PHP-CGI script on your machine, you could see the source via “http://localhost/test.php?-s”. In this case, your web server’s access restrictions still apply. There is more parameters in the PHP-CGI binary (try “php-cgi -h” for a list) which can be used. Some are not available directly (for example, the infamous “-r” parameter that allows to directly pass code for execution doesn’t work), but others are ready for abuse.

Understanding The Attack

So far we noticed that the attack starts in two ways, either by checking if the server is vulnerable using the?-s option (which shows the source of the page):

1 – - [15/June/2012:09:29:22 -0400] “GET /index.php?-s HTTP/1.1 301


If the attacker succeeds, it will upload a backdoor to the compromised site in a random location of the file system and use that to continue exploiting the server.


How to protect our server?

Login into your FTP account -  you will find at the root of your shop a file named .htaccess open it and edit its content by simply adding this after the information already in the file:

RewriteEngine On
RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
RewriteRule ^(.*) $1? [L]

Save the file, your store is now protected.

author milos myszczuk
Article by Milosz Myszczuk PrestaShop expert, official PrestaShop community moderator. PHP developer, specialist in relative and spatial databases management, GIS Analyst, CEO & founder of VEKIA interactive agency. Read more about VEKIA company
If you like my articles and want much more valuable tips, feel free to send me donation
1.4 version 1.4.11 1.6 404 addon admin advertise ahref ajax alpha animation api app application authentication back office backup badge banner basics block bootstrap button cache carrier cart catalog category certificate changelog chat class clear client clip cms code colors columns comments configuration contact container content controller cookie counter country coupon css csv currency customer dashboard database debug default delete delivery desktop developer device disable discount displayNav displayTop download dynamic editor effect empty encrypt engine error exchange exclude export facebook faceshop fade fancoupon fancybox fanpage fatal feature feed field file fix fixed font footer free friendly url front ftp full gallery generate gift global godaddy google google+ gray grid groupon header help hide highlight homefeatured homepage hook hosting hover howto htaccess html html5 ID image import include input instagram installation integration iPhone issue javascript jquery kgb knowhow languages law left likebox link list livingsocial loading log login logo loyality mail mailing maintenance manufacturer marketing marquee mcrypt menu meta mobile modification module movie moving multilanguage multiupload must have mysql news newsletter notification number open graph order override page password performance PHP phpmyadmin picture pinterest plugin popup post prestashop prestashop 1.0 prestashop 1.1 prestashop 1.2 prestashop 1.3 prestashop 1.4 prestashop 1.5 price rules problem product profile promotion proslider purifier quantity query quick tip random rates register reinsurance release reporting reset responsive restore results ribbon rich text right sales search security seo service shadow share shipping shop shopmania slider smarty social networks SQL SSL statistics stock store style subcategory superuser support switcher tab tablet tag tax template text theme tinyMCE tips and tricks tpl tracking translations tree trends trigger tumblr tutorial twitter update upgrade upload variables video visits voucher vulnerability web2print wide widget width window wishlist wysiwyg youtube zip zopim