Today's Question:  What's your opinion about Alibaba mooncake incident?        GIVE A SHOUT

Technical Article => Web =>  PHP

Latest PHP patch cannot fix the bug

  Peter      2012-05-08 11:20:56      13,356    0    0

On Wednesday(2012-05-02), a remote code execution vulnerability in PHP was accidentally exposed to the Web, prompting fears that it may be used to target vulnerable websites on a massive scale. The bug itself was traced back to 2004, and came to light during a recent CTF competition.

A CERT advisory on the flaw explains: “When PHP is used in a CGI-based setup (such as Apache's mod_cgid), the php-cgi receives a processed query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to disclose source code and obtain arbitrary code execution,”

Later, PHP developers published some patches for PHP 5.3.12 and PHP 5.4.2. But unfortunately, these fixes are found to be easily bypassed. For more information, refer Official Fix for PHP Flaw Easily Bypassed.

This bug may affect many hosted websites, since once the website can allow remote code execution, this will give chances to bad people to take over some websites. Hope the feasible patches can be published soon.

Reference :



Share on Facebook  Share on Twitter  Share on Google+  Share on Weibo  Share on Reddit  Share on Digg  Share on Tumblr    Delicious



No comment for this article.


How to generate random string

By sonic0002
Q: How to generate a random string? A: Put a fresh student in front of vi and tell him to quit Cannot agree more!!!