• PHP
  • Ruby on Rails
  • MySQL
  • Linux
    • SELINUX
    • Fedora
    • debian
  • Apache
  • nginx
  • AJAX
Albertech.net

PHP 5.4.3 and PHP 5.3.13 released – important security fix for php cgi

May 11, 2012 5:45 pm / Albertech.net

If you are running php-cgi, there is a major vulnerability that will allow attackers to view and run PHP source code on your site.

Resources on the vulnerability:
http://blog.spiderlabs.com/2012/05/honeypot-alert-active-exploit-attempts-for-php-cgi-vuln.html
http://blog.sucuri.net/2012/05/php-cgi-vulnerability-exploited-in-the-wild.html
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/ 

  • Many nginx setups use php-cgi, so it is critical to patch PHP to the latest version or apply the recommended fixes through Apache Rewrite.
  • Mod_php and php-fpm systems are not vulnerable to this attack. Most Apache web server setups use the mod_php method for PHP.

If you are running an older version of PHP and cannot update to 5.3, you can try using Apache rewrite rules. Here’s what the PHP site recommends:

     One way to address these CGI issues is to reject the request if the query string contains a ‘-‘ and no ‘=’. It can be done using Apache’s mod_rewrite like this:

    RewriteCond %{QUERY_STRING} ^[^=]*$
    RewriteCond %{QUERY_STRING} %2d|\- [NC]
    RewriteRule .? - [F,L]

There is also a PHP buffer overflow vulnerability in 5.4 that is addressed in the patch. http://www.php.net/archive/2012.php#id2012-05-08-1

 

Share this:

  • Facebook
  • Google
  • Twitter
  • Print
  • Email
Posted in: PHP / Tagged: php cgi, security

Comments are closed.

Post Navigation

← Previous Post
Next Post →

Categories

  • AJAX
  • Android
  • Apache
  • Canon Cameras
  • Cloud
  • CMS
  • Computer Mods
  • Conferences
  • Deals
  • debian
  • Fedora
  • Flash
  • Frameworks
  • git
  • Hardware
  • HTML
  • IDE
  • iPhone
  • iPhone App Review
  • jQuery
  • Linux
  • Mac OS X
  • MySQL
  • nginx
  • PHP
  • portfolio
  • Puppet
  • Ruby on Rails
  • Script Reviews
  • SELINUX
  • Software
  • Software Review
  • SQL Server
  • statistics
  • Tech
  • Tomcat
  • Uncategorized
  • VMWARE
  • VPS
  • Windows
  • wordpress
  • Zend Framework

Blogroll

  • DragonAl Flickr
  • Dropbox – Free 2GB Account
  • James' Blog
  • Javascript Compressor
  • PHP Builder Community
  • PHP-Princess.net
  • Rubular – Regular Expression Validator
  • The Scale-Out Blog
  • Tiny MCE

Tags

activation AJAX android antec Apache AWS awstats canon coda codeigniter debian enclosure external free G1 install vmware tools Internet Explorer iphone 5 jquery Linux mx-1 MySQL office 2007 OSX photoshop PHP plugin plugins portfolio redesigned website review rewrite script security SELinux ssh tinymce tutorial upgrade VMWARE vmware server wordpress wordpress mu XSS zend framework
© Copyright 2013 Albertech.net
Infinity Theme by DesignCoral / WordPress
loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.