PHP-CGI vulnerability and our Prestashop store

All sites using PHP in CGI mode are affected and your shop can be hacked. All PrestaShop stores are not affected. If you don’t know how PHP is running on your shop, you should still apply this patch for security reasons. When PHP is used in a CGI wrapper, remote attackers may use this solution for command-line switches, such as -s, -d or -c, in a query string that will be passed to the PHP-CGI binary, leading to arbitrary code execution or source code disclosure. For example, for any PHP-CGI script on your machine, you could see the source via “http://localhost/test.php?-s”. In this case, your web server’s access restrictions still apply. There is more parameters in the PHP-CGI binary (try “php-cgi -h” for a list) which can be used. Some are not available directly (for example, the infamous “-r” parameter that allows to directly pass code for execution doesn’t work), but others are ready for abuse.

Understanding The Attack

So far we noticed that the attack starts in two ways, either by checking if the server is vulnerable using the?-s option (which shows the source of the page):

1

28.122.205.101 – - [15/June/2012:09:29:22 -0400] “GET /index.php?-s HTTP/1.1″ 301

If the attacker succeeds, it will upload a backdoor to the compromised site in a random location of the file system and use that to continue exploiting the server.

How to protect our server?

Login into your FTP account -  you will find at the root of your shop a file named .htaccess open it and edit its content by simply adding this after the information already in the file:

RewriteEngine On
RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
RewriteRule ^(.*) $1? [L]

Save the file, your store is now protected.