News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

PHP.net:
PHP 5.3.12 and PHP 5.4.2 Released!
May 04, 2012 @ 07:19:08

The PHP project has officially released the latest versions in both the 5.3.x and 5.4.x series in response to a bug that was found in the CGI setup of certain server+PHP configurations.

There is a vulnerability in certain CGI-based setups (Apache+mod_php and nginx+php-fpm are not affected) that has gone unnoticed for at least 8 years. Section 7 of the CGI spec states: 'Some systems support a method for supplying a [sic] array of strings to the CGI script. This is only used in the case of an `indexed' query. This is identified by a "GET" or "HEAD" HTTP request with a URL search string not containing any unencoded "=" characters.'

A large number of sites run PHP as either an Apache module through mod_php or using php-fpm under nginx. Neither of these setups are vulnerable to this. Straight shebang-style CGI also does not appear to be vulnerable. If you are using Apache mod_cgi to run PHP you may be vulnerable. To see if you are, just add ?-s to the end of any of your URLs. If you see your source code, you are vulnerable. If your site renders normally, you are not.

You can download this latest version from the downloads page for the source releases or windows.php.net for the Windows binaries. You can look at the Changelog if you'd like more details on the update.

0 comments voice your opinion now!
release bugfix cgi request handling apache modcgi


blog comments powered by Disqus

Similar Posts

Toomas Romer's Blog: SoC - Next Release Is Out (Eclipse Plugins in Php)

PHP-Security.net: New PHP-CGI Exploit (CVE-2012-1823)

Lukas Smith's Blog: back Is your chosen PHP framework on the PHP primary tester mailinglist?

Jared White's Blog: Willowgarden DP2...preview of a preview?

Ilia Alshanetsky's Blog: PHP 5.2.0 RC3 Released!


Community Events





Don't see your event here?
Let us know!


interview introduction library configure release code bugfix threedevsandamaybe unittest community wordpress laravel series developer list language install api podcast application

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework