Today's Question:  What are you most afraid of as a programmer?        GIVE A SHOUT

Technical Article => Web =>  PHP

Latest PHP patch cannot fix the bug

  Peter      2012-05-08 11:20:56      13,406    0    0

On Wednesday(2012-05-02), a remote code execution vulnerability in PHP was accidentally exposed to the Web, prompting fears that it may be used to target vulnerable websites on a massive scale. The bug itself was traced back to 2004, and came to light during a recent CTF competition.

A CERT advisory on the flaw explains: “When PHP is used in a CGI-based setup (such as Apache's mod_cgid), the php-cgi receives a processed query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to disclose source code and obtain arbitrary code execution,”

Later, PHP developers published some patches for PHP 5.3.12 and PHP 5.4.2. But unfortunately, these fixes are found to be easily bypassed. For more information, refer Official Fix for PHP Flaw Easily Bypassed.

This bug may affect many hosted websites, since once the website can allow remote code execution, this will give chances to bad people to take over some websites. Hope the feasible patches can be published soon.

Reference : http://www.securityweek.com/official-fix-php-flaw-easily-bypassed-researchers-say

PHP BUG PATCH BYPASSED

  SAVE AS PDF   MARK AS READ   MARK AS IMPORTANT

Share on Facebook  Share on Twitter  Share on Google+  Share on Weibo  Share on Reddit  Share on Digg  Share on Tumblr    Delicious

  RELATED


  0 COMMENT


No comment for this article.


  WRITE ARTICLE

Santa in Beijing after a busy day

By sonic0002
It's a sarcastic picture describing how heavy the haze is in Beijing on Christmas day. Every winter people in Beijing will suffer the heavy haze.