Latest PHP patch cannot fix the bug

  Peter        2012-05-08 11:20:56       15,856        0    

On Wednesday(2012-05-02), a remote code execution vulnerability in PHP was accidentally exposed to the Web, prompting fears that it may be used to target vulnerable websites on a massive scale. The bug itself was traced back to 2004, and came to light during a recent CTF competition.

A CERT advisory on the flaw explains: “When PHP is used in a CGI-based setup (such as Apache's mod_cgid), the php-cgi receives a processed query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to disclose source code and obtain arbitrary code execution,”

Later, PHP developers published some patches for PHP 5.3.12 and PHP 5.4.2. But unfortunately, these fixes are found to be easily bypassed. For more information, refer Official Fix for PHP Flaw Easily Bypassed.

This bug may affect many hosted websites, since once the website can allow remote code execution, this will give chances to bad people to take over some websites. Hope the feasible patches can be published soon.

Reference : http://www.securityweek.com/official-fix-php-flaw-easily-bypassed-researchers-say

PHP  BUG  PATCH  BYPASSED 

       

  RELATED


  0 COMMENT


No comment for this article.



  RANDOM FUN

Be careful with mathematician

A mathematician was interviewing for a job. The interviewer asks him - "You are walking towards your office and running late for a very important meeting and you glimpse a building on fire with people screaming for help. What will you do?".The mathematician thinks for a while and replies : "People's