On Wednesday(2012-05-02), a remote code execution vulnerability in PHP was accidentally exposed to the Web, prompting fears that it may be used to target vulnerable websites on a massive scale. The bug itself was traced back to 2004, and came to light during a recent CTF competition.

A CERT advisory on the flaw explains: “When PHP is used in a CGI-based setup (such as Apache's mod_cgid), the php-cgi receives a processed query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to disclose source code and obtain arbitrary code execution,”

Later, PHP developers published some patches for PHP 5.3.12 and PHP 5.4.2. But unfortunately, these fixes are found to be easily bypassed. For more information, refer Official Fix for PHP Flaw Easily Bypassed.

This bug may affect many hosted websites, since once the website can allow remote code execution, this will give chances to bad people to take over some websites. Hope the feasible patches can be published soon.

Reference : http://www.securityweek.com/official-fix-php-flaw-easily-bypassed-researchers-say