Become a fan of Slashdot on Facebook


Forgot your password?

Submission + - Official Fix for PHP Flaw Easily Bypassed, Researchers Say (

wiredmikey writes: On Wednesday, a remote code execution vulnerability in PHP was accidentally exposed to the Web, prompting fears that it may be used to target vulnerable websites on a massive scale. The bug itself was traced back to 2004, and came to light during a recent CTF competition.

“When PHP is used in a CGI-based setup (such as Apache's mod_cgid), the php-cgi receives a processed query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to disclose source code and obtain arbitrary code execution,” a CERT explains.

PHP developers pushed a fix for the flaw, resulting in the release of PHP 5.3.12 and 5.4.2, but as it turns out it didn’t actually remove the vulnerability....

This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

Official Fix for PHP Flaw Easily Bypassed, Researchers Say

Comments Filter:

FORTRAN is not a flower but a weed -- it is hardy, occasionally blooms, and grows in every computer. -- A.J. Perlis