kiwijohn — 2012-05-22T17:52:08-04:00 — #1
The following has been showing up in our logs lately. Is it anything to be concerned about?
chris_upjohn — 2012-05-22T19:42:21-04:00 — #2
kiwijohn — 2012-05-22T19:51:48-04:00 — #3
Thanks. I read that, but did not come away with a clear understanding of what to check to ensure our system is not vulnerable to this.
chris_upjohn — 2012-05-22T20:00:19-04:00 — #4
There is no risk, the guy trying to run the URL is attempting to execute PHP commands which can only be run from within a terminal shell.
kiwijohn — 2012-05-22T20:01:50-04:00 — #5
Thanks for taking the time to let me know. i appreciate it.
kduv — 2012-05-26T00:48:29-04:00 — #6
That's not completely true. There has been a PHP vulnerability recently discovered that enables people to run remote code from the query string on PHP installations running in CGI mode or mod_cgid (not FastCGI). The logs you're currently seeing is a user trying to exploit that very vulnerability. Check to see how PHP is running on your system to know if you're vulnerable. Alternatively, you can also go to /index.php?-s and see if the source to your PHP code is displayed. If it is, you're vulnerable.
If you're affected, there are many ways to protect against it. I'm not sure if PHP has released a "working" patch yet as I haven't been following it (I'm not affected), but I'm sure you can find out on PHP's website.