Regarding whether using FCGID makes one safe – I suspect the issue there is just that the worm that’s going around is only testing on /cgi-bin/, it’s probably not testing other directories. The original vulnerability appears to work on FCGID, if I’m reading the info about it correctly.
However, I just setup a brand new Ubuntu 12.04 install, and downloaded the exploit for the issue that’s occurring now.
I configured Virtualmin to use CGI for this particular domain. I then needed to copy cgi-bin/php5.cgi to cgi-bin/php-cgi.
Once I did that, I ran the exploit against the server here, and it wasn’t successful.
Then, I removed cgi-bin/php-cgi, and copied the actual PHP5 binary, /usr/bin/php-cgi, into cgi-bin.
After doing that, it continued to not be successful… I see this message:
***SERVER RESPONSE***
HTTP/1.1 500 Internal Server Error
Date: Thu, 14 Nov 2013 20:28:42 GMT
Server: Apache/2.2.22 (Debian)
Vary: Accept-Encoding
Content-Length: 612
Connection: close
Content-Type: text/html; charset=iso-8859-1
500 Internal Server Error
And this is generated in the Apache error log:
malformed header from script. Bad header=Security Alert! The PHP: php-cgi
The exploit is supposed to be running a program remotely on the server that generates some output… and I’m not seeing any sign of this. I only see an error that the attempt to access the PHP binary directly was a security issue, and was denied.
For anyone who has seen this issue, and feels that can reproduce it –
What output do you receive, when running any of the exploits?
Can you paste in the output that appears to signify a successful exploit?
-Eric