Article ID: 114058, created on Jun 5, 2012, last review on Jun 17, 2016

  • Applies to:
  • Web Presence Builder
  • Plesk 12.0 for Linux
  • Plesk 11.5 for Linux
  • Plesk 10.4 for Linux/Unix
  • Plesk 11.5 for Windows
  • Plesk 10.4 for Windows
  • Plesk Sitebuilder 4.5 for Linux/Unix


On May 3, 2012, the PHP-CGI remote code execution vulnerability was disclosed to the general public. This is a Critical Vulnerability affecting all software that uses PHP-CGI.

You can find information on which versions of Parallels Plesk SiteBuilder (PPSB) and Web Presence Builder (WPB) are affected by the vulnerability below.

Not affected:

  • PPSB 2.x-4.x for Windows;
  • WPB shipped with Parallels Plesk Panel 10.x-11.x for Linux and Windows;
  • WPB 10.x-11.x for Linux Standalone.

Are affected:

  • Parallels Automation for WPB 10.x-11.x (see article #114080 for details and resolution instructions)
  • PPSB 2.x-4.x for Linux (see details and resolution below)


PHP-CGI installations are vulnerable to remote code execution. The vulnerability can only be exploited if the HTTP server follows a fairly obscure part of the CGI spec. In particular, this concerns the Apache webserver, and some others.


A critical flaw was discovered in PHP (CVE-2012-1823) which allows someone to get the PHP script source code and potentially trigger a remote code execution in some cases (there is no publicly available PoC):

The official patch given on this page still does not resolve the issue entirely.

How to verify if website is vulnerable

In a browser, add "?-d" to the website URL with some existing PHP script, such as in the following example:


You will get

500 Internal Server Error

and the following can be found in the /var/log/apache2/sitebuilder_error.log file:

[Tue Jun 05 15:25:00 2012] [error] [client] Error in argument 1, char 2: no argument for option d
[Tue Jun 05 15:25:00 2012] [error] [client] malformed header from script. Bad header=       php5 <file> [args...]: php5

Resolution (does not work for FreeBSD)

To get this issue resolved, please follow the steps provided below:

  1. Download the cve-2012-1823-wa_sb.tgz archive.

    # wget
  2. Extract the following from the archive:

    # tar xzvf cve-2012-1823-wa_sb.tgz
    # cd cve-2012-1823-wa_sb
  3. Launch the script:

    # sh

You will get an output that reads "Wrapped: PHP5."

Manual solution (for FreeBSD only)

  1. Download the cve-2012-1823-wa_sb.tgz archive:

    # fetch
  2. Extract the following from the archive:

    # tar xzvf cve-2012-1823-wa_sb.tgz
    # cd cve-2012-1823-wa_sb
  3. Create a copy of the original PHP-CGI binary:

    # mv /usr/local/sitebuilder/cgi-bin/php /usr/local/sitebuilder/cgi-bin/php.orig
  4. Replace the PHP binary with the wrapper from the attachment:

    # cp php_wrapper.freebsd /usr/local/sitebuilder/cgi-bin/php
  5. Set correct permissions on the copied file:

    # chmod 755 /usr/local/sitebuilder/cgi-bin/php
    # chown root:wheel /usr/local/sitebuilder/cgi-bin/php

To verify that the fix is properly installed, launch the following:

# /usr/local/sitebuilder/cgi-bin/php -v

Important note for the FreeBSD solution: Do not apply this solution more than once. To find out if it has already been applied, check if the /usr/local/sitebuilder/cgi-bin/php.orig file exists in the system. If it does, do not delete it and do not repeat the above steps.

Search Words

500 Internal Server Error

Critical Vulnerability

php cgi injection

Critical Vulnerability affecting all software that uses PHP-CGI

sb hacked

code execution vulnerabilit

malformed header from script



[Mon May 19 11:22:35 2014] [error] [client] malformed header from script. Bad header=IlwvdmFyXC93d3dcL3Zob3N0c1wvZX: cgi_wrapper

PHP-CGI remote code execution vulnerability

56797cefb1efc9130f7c48a7d1db0f0c fad6dc0c8e983c17ae70a51ac7952cd0 bd7fc88cf1b01f097749ae6f87272128 a914db3fdc7a53ddcfd1b2db8f5a1b9c 85a92ca67f2200d36506862eaa6ed6b8 29d1e90fd304f01e6420fbe60f66f838 c796c01d6951fa24ed54c7f1111667c6 0a53c5a9ca65a74d37ef5c5eaeb55d7f dd0611b6086474193d9bf78e2b293040 d055be4fdc562a8ecb8e6d0bf419f946 2a5151f57629129e26ff206d171fbb5f e335d9adf7edffca6a8af8039031a4c7 e8756e9388aeca36710ac39e739b2b37 f7f840260c1591440648a375a64b5b75 ea6a61e571a858aa6019ceb068ea403a ff5a00b8ead2e480367b019417a04207 01bc4c8cf5b7f01f815a7ada004154a2 46a8e394d6fa13134808921036a34da8 9305481d3bd31663b68451e3bfdec5a5

Email subscription for changes to this article
Save as PDF