Today's Question:  What does your personal desk look like?        GIVE A SHOUT

Latest PHP patch cannot fix the bug

  Peter        2012-05-08 11:20:56       15,525        0    

On Wednesday(2012-05-02), a remote code execution vulnerability in PHP was accidentally exposed to the Web, prompting fears that it may be used to target vulnerable websites on a massive scale. The bug itself was traced back to 2004, and came to light during a recent CTF competition.

A CERT advisory on the flaw explains: “When PHP is used in a CGI-based setup (such as Apache's mod_cgid), the php-cgi receives a processed query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to disclose source code and obtain arbitrary code execution,”

Later, PHP developers published some patches for PHP 5.3.12 and PHP 5.4.2. But unfortunately, these fixes are found to be easily bypassed. For more information, refer Official Fix for PHP Flaw Easily Bypassed.

This bug may affect many hosted websites, since once the website can allow remote code execution, this will give chances to bad people to take over some websites. Hope the feasible patches can be published soon.

Reference : http://www.securityweek.com/official-fix-php-flaw-easily-bypassed-researchers-say

PHP  BUG  PATCH  BYPASSED 

Share on Facebook  Share on Twitter  Share on Weibo  Share on Reddit 

  RELATED


  0 COMMENT


No comment for this article.