News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

PHP.net:
PHP 5.3.12 and PHP 5.4.2 Released!
May 04, 2012 @ 07:19:08

The PHP project has officially released the latest versions in both the 5.3.x and 5.4.x series in response to a bug that was found in the CGI setup of certain server+PHP configurations.

There is a vulnerability in certain CGI-based setups (Apache+mod_php and nginx+php-fpm are not affected) that has gone unnoticed for at least 8 years. Section 7 of the CGI spec states: 'Some systems support a method for supplying a [sic] array of strings to the CGI script. This is only used in the case of an `indexed' query. This is identified by a "GET" or "HEAD" HTTP request with a URL search string not containing any unencoded "=" characters.'

A large number of sites run PHP as either an Apache module through mod_php or using php-fpm under nginx. Neither of these setups are vulnerable to this. Straight shebang-style CGI also does not appear to be vulnerable. If you are using Apache mod_cgi to run PHP you may be vulnerable. To see if you are, just add ?-s to the end of any of your URLs. If you see your source code, you are vulnerable. If your site renders normally, you are not.

You can download this latest version from the downloads page for the source releases or windows.php.net for the Windows binaries. You can look at the Changelog if you'd like more details on the update.

0 comments voice your opinion now!
release bugfix cgi request handling apache modcgi


blog comments powered by Disqus

Similar Posts

DynamicWebPages.de: PHP 4.4.2 Release Candidate 1 Posted

Community News: Zend Framework 0.9 beta feature-freeze

DynamicWebPages.de: PHP 5.1.3RC1 Released

PHP.net: PHP 5.2.14 and PHP 5.3.3 Released

Till's Blog: Zend Framework performance


Community Events





Don't see your event here?
Let us know!


opinion update tips install api language series library community deployment list introduction podcast zendserver framework symfony package release interview laravel

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework