How to secure servers from a cgi-bin/php POST request attack

We got a POST request to our server with the following in it:

%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%F%69%6E%70%75%74+%2D%6E

Using url decode this translates to:

cgi-bin/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env file=php://input -n

It seems to be similar to Strange URL requests via Nginx on Ubuntu 14.04, what is the malicious user trying to do?. In what scenario would the request work? I see from the logs we sent a 404 but I want to make sure we don't have any other box that may be vulnerable to it.


Many years ago people used to run PHP as a CGI script (not even FastCGI, it didn't exist yet!) in part so that they could switch Apache from its low-performance prefork MPM to the new and somewhat higher performing worker MPM. (And nginx was unknown yet, it was that long ago.) If a server was set up to run PHP as a CGI script, then you could call the PHP interpreter directly at /cgi-bin/php.

PHP technically still could be installed as CGI, but it turned out not to be as performant as people were hoping, thus FastCGI was invented. All current high performance PHP sites use FastCGI/FPM, generally with nginx or sometimes with Apache's event MPM. FastCGI/FPM are not vulnerable to this as they do not permit PHP to be called directly through /cgi-bin.

If your server isn't an ancient rotting pile of PHP run as CGI, then you need not worry about this request.


The general problem is command injection. Made easier by old insecure CGI configurations allowing php execution direction, although a modern web server that sent a 404 isn't vulnerable to this specifically.

You prevent it by removing CGI where it is not needed, locking down the web server with file permissions and maybe SELinux, and securing your web apps. Open Web Application Security Project Testing Project has some general advice.