Source Code Disclosure - CVE-2012-1823

Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML.

This vulnerability allows attackers to bypass PHP execution and retrieve raw source code by crafting malicious query strings. Exposed source code can reveal sensitive information such as database credentials, API keys, encryption secrets, and business logic. Furthermore, the same vulnerability can be exploited to achieve arbitrary code execution, allowing attackers to completely compromise the web server and potentially pivot to internal systems.

Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives.