Juniper SRX firewalls and EX switches.
The Juniper firewalls use the Appweb web server. When Appweb invokes a CGI script, it passes a variety of environment variables and arguments so that the script can access the user's HTTP request. The body of the HTTP request is passed via stdin. The affected firewalls run FreeBSD, and every FreeBSD process can access their stdin by opening /dev/fd/0.
By sending an HTTP request, you can introduce a "file", /dev/fd/0, to the system. Using that trick, you can set the PHPRC environment variable to /dev/fd/0 and include the desired php.ini in our HTTP request. The following request demonstrates this attack to prepend /etc/passwd to every response.
POST /webauth_operation.php PAYLOAD - allow_url_include=1 auto_prepend_file="data://text/plain;base64,PD8KICAgcGhwaW5mbygpOwo/Pg=="
By turning this into a traffic file and matching rule, we are able to detect attempts to modify PHP environment variables.
Idappcom have created signature 8024221 along with a traffic file for this vulnerability.
If you are concerned that your business may be at risk of this vulnerability or others why not try out our Traffic IQ software which can scan your defences and report any issues. Learn more here: https://www.idappcom.co.uk/traffic-iq-professional