Re: NSE for detecting vulnerable PHP-CGI setups (CVE2012-1823)

[Paulino Calderon <paulino () calderonpale com>]

On 04/05/2012 03:35 p.m., Patrik Karlsson wrote:
> On Fri, May 4, 2012 at 9:25 PM, David Fifield <david () bamsoftware com 
> <mailto:david () bamsoftware com>> wrote:
>
>     On Fri, May 04, 2012 at 12:30:00PM -0500, Paulino Calderon wrote:
>     > Hi list,
>     >
>     > Here is my script for detecting vulnerable PHP-CGI setups
>     > (CVE2012-1823). This is a pretty scary vuln as it affects a lot of
>     > installations. Here is the full advisory:
>     > http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
>     > I'm going to look more into it to write a reliable exploitation
>     > script too. So far it seems the -r flag is not available in all the
>     > setups and we will need to exploit via RFI to be 100% accurate.
>
>     Nice, Paulino. Please commit this script.
>
>     David Fifield
>     _______________________________________________
>     Sent through the nmap-dev mailing list
>     http://cgi.insecure.org/mailman/listinfo/nmap-dev
>     Archived at http://seclists.org/nmap-dev/
>
>
> Great work! Would attempting to match both the opening and closing tag 
> improve detection?
>
> //Patrik
> --
> Patrik Karlsson
> http://www.cqure.net
> http://twitter.com/nevdull77
Hi Patrik,
PHP coders sometimes don't use closing tags since they are optional. If 
we match closing tags in these files, the script will incorrectly report 
that a host is not vulnerable.
Check out:
http://php.net/manual/en/language.basic-syntax.instruction-separation.php
http://phpstarter.net/2009/01/omit-the-php-closing-tag/

Cheers!

--
Paulino Calderón Pale
Website: http://calderonpale.com
Twitter: http://twitter.com/calderpwn

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/