Make Homepage | Add To Favorites | Print Page | Submit News | Feedback | Contact | 

Your Technical Computer Information Resource!  
  Technical Updates @ TACKtech Corp.  

05.06.2012 - PHP 5.3.12 and 5.4.2 and the CGI flaw (CVE-2012-1823)

View PHP related news. PHP 5.3.12/5.4.2 do not fix all variations of the CGI issues described in CVE-2012-1823. It has also come to our attention that some sites use an insecure cgiwrapper script to run PHP. These scripts will use $* instead of "$@" to pass parameters to php-cgi which causes a number of issues. Again, people using mod_php or php-fpm are not affected. One way to address these CGI issues is to reject the request if the query string contains a '-' and no '='. It can be done using Apache's mod_rewrite like this: RewriteCond %{QUERY_STRING} ^[^=]*$ RewriteCond %{QUERY_STRING} %2d|\- [NC] RewriteRule .? - [F,L] Note that this will block otherwise safe requests like ?top-40 so if you have query parameters that look like that, adjust your regex accordingly.Another set of releases are planned for Tuesday, May, 8th. These releases will fix the CGI flaw and another CGI-related issue in apache_request_header (5.4 only).We apologize for the inconvenience created with these releases and the (lack of) communication around them.

- Download PHP
- View Press Release
- Visit PHP Group

NID: 41872 / Submitted by: The Zilla of Zuron
Categories: Open Source, Server Applications, Programming
Most recent PHP related news.
PHP 7.1.0 Release Candidate 4 Released
PHP 5.6.27 Released
PHP 7.1.0 Release Candidate 3 Released
PHP 7.1.0 Release Candidate 2 Released
PHP 5.6.26 is released
View archive of PHP related news.

Visit the TACKtech Shop
  Popular Tech News  
  Most Viewed News  
  Top Affiliates