How to secure servers from attack

Dovid Bender asked:

We got a POST request to our server with the following in it:

%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%F%69%6E%70%75%74+%2D%6E

Using url decode this translates to:

cgi-bin/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env file=php://input -n

It seems to be similar to Strange URL requests via Nginx on Ubuntu 14.04, what is the malicious user trying to do?. In what scenario would the request work? I see from the logs we sent a 404 but I want to make sure we don’t have any other box that may be vulnerable to dit.

My answer:


Many years ago people used to run PHP as a CGI script (not even FastCGI, it didn’t exist yet!) in part so that they could switch Apache from its low-performance prefork MPM to the new and somewhat higher performing worker MPM. (And nginx was unknown yet, it was that long ago.) If a server was set up to run PHP as a CGI script, then you could call the PHP interpreter directly at /cgi-bin/php.

PHP technically still could be installed as CGI, but it turned out not to be as performant as people were hoping, thus FastCGI was invented. All current high performance PHP sites use FastCGI/FPM, generally with nginx or sometimes with Apache’s event MPM. FastCGI/FPM are not vulnerable to this as they do not permit PHP to be called directly through /cgi-bin.

If your server isn’t an ancient rotting pile of PHP run as CGI, then you need not worry about this request.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.