Latest vulnerability in PHP with CGI implementation

Obtain support and get your questions answered here.

Latest vulnerability in PHP with CGI implementation

Postby jimmybond » Mon May 07, 2012 5:20 am

On May 3 php.net annouced the release of PHP 5.3.12 and PHP 5.4.2 to solve a vulnerability in certain CGI-based setups of PHP,which is said to be unnoticed for at least 8 years. I tested liway.com's legacy PHP 5.2.17(by suPHP & CGI handler according to phpinfo()) with this vulnerability (adding ?-s to the end of a PHP script URI to dump the source code) and was glad to find our server is NOT affected by it! While is this because legacy php 5.2.17 in fact was run through a Fast CGI handler instead of Apache's mod_cgi? Thx in advance for any explanation! BTW,the bug report is here:http://bugs.php.net/61910
jimmybond
New around here
 
Posts: 49
Joined: Sat Dec 11, 2010 7:55 am

Re: Latest vulnerability in PHP with CGI implementation

Postby Max » Mon May 07, 2012 5:43 am

Running PHP as a CGI module in 2012? Honestly, who the hell does this anymore?

Of course we run additional PHP through suPHP (the default running through an apache handler directly) - which stops that sort of nonsense from happening.
Max
Administrator
 
Posts: 1043
Joined: Sat Jul 18, 2009 3:17 pm

Re: Latest vulnerability in PHP with CGI implementation

Postby jimmybond » Mon May 07, 2012 7:03 am

Great to get your reply in no time! Thanks again for your help. There is a new notice on php.net addressing "Another set of releases are planned for Tuesday, May, 8th. These releases will fix the CGI flaw and another CGI-related issue in apache_request_header (5.4 only)." It seems this week is a really busy one for php development team~

Cheers,
Jimmy
jimmybond
New around here
 
Posts: 49
Joined: Sat Dec 11, 2010 7:55 am

Re: Latest vulnerability in PHP with CGI implementation

Postby Max » Mon May 07, 2012 7:11 am

Yes, that's why I'm probably going to delay updating our PHP versions until next weekend.
Max
Administrator
 
Posts: 1043
Joined: Sat Jul 18, 2009 3:17 pm

Re: Latest vulnerability in PHP with CGI implementation

Postby jimmybond » Mon May 07, 2012 7:20 am

Max wrote:Yes, that's why I'm probably going to delay updating our PHP versions until next weekend.


That's great! Hopefully the transition to new PHP version can run smoothly.
jimmybond
New around here
 
Posts: 49
Joined: Sat Dec 11, 2010 7:55 am


Return to Support & Questions

Who is online

Users browsing this forum: No registered users and 1 guest

cron