DaemonForums  

Go Back   DaemonForums > DaemonForums.org > News

News News regarding BSD and related.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 3rd May 2012
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default Critical open hole in PHP creates risks

From http://h-online.com/-1567532

Quote:
The US CERT is warning of a critical vulnerability in PHP which has been disclosed, by mistake, to the public while the developers are still working on a fix. The vulnerability affect servers that are running PHP in CGI mode; FastCGI for PHP installations are not affected.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #2   (View Single Post)  
Old 4th May 2012
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Tcpdump Spy
 
Join Date: Apr 2008
Location: Netherlands
Posts: 2,243
Default

This is *only* when using PHP in CGI mode, which is pretty rare nowadays. If you're still using CGI, this is a good time to switch to FastCGI.

Also note it may be that only Apache is affected, from http://www.hiawatha-webserver.org/weblog/36

Quote:
I took a closer look at the bug report and found that it's not PHP that is vulnerable, but PHP in combination with the webserver (Apache?) used by the bug reporter. When using Hiawatha, you are not vulnerable. Hiawatha does not (of course!!!) add URL parameters to the command line when executing PHP in CGI mode.
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
  #3   (View Single Post)  
Old 4th May 2012
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

Also see PHP patch quick but inadequate
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #4   (View Single Post)  
Old 4th May 2012
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Tcpdump Spy
 
Join Date: Apr 2008
Location: Netherlands
Posts: 2,243
Default

__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
  #5   (View Single Post)  
Old 10th May 2012
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

For another update see PHP team makes another attempt to close critical CGI hole
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
TYPO3 developers warn of critical hole J65nko News 0 20th December 2011 08:08 AM
Opera 11.01 closes critical hole J65nko News 0 27th January 2011 04:14 PM
Adobe: hole closed, hole open J65nko News 0 5th November 2010 06:50 PM
Critical hole closed in Foxit Reader J65nko News 0 10th August 2010 05:51 PM
Firefox 3.6.3 closes a critical hole J65nko News 0 2nd April 2010 05:52 PM


All times are GMT. The time now is 06:40 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick