[Solved] Bug PHP

[kurgans]

Good morning, this bug detected in our engine we use php for even a bush in 5.2 may be a problem for our servers.

Any partner I may say something


PHP 5.3.12/5.4.2 do not fix all variations of the CGI issues described in CVE-2012-1823. It has also come to our attention that some sites use an insecure cgiwrapper script to run PHP. These scripts will use $* instead of "$@" to pass parameters to php-cgi which causes a number of issues. Again, people using mod_php or php-fpm are not affected.

One way to address these CGI issues is to reject the request if the query string contains a '-' and no '='. It can be done using Apache's mod_rewrite like this:

RewriteCond %{QUERY_STRING} ^[^=]*$
RewriteCond %{QUERY_STRING} %2d|\- [NC]
RewriteRule .? - [F,L]

Note that this will block otherwise safe requests like ?top-40 so if you have query parameters that look like that, adjust your regex accordingly.
Another set of releases are planned for Tuesday, May, 8th. These releases will fix the CGI flaw and another CGI-related issue in apache_request_header (5.4 only).

We apologize for the inconvenience created with these releases and the (lack of) communication around them.

[kurgans]

tomhb Wrote:Hi

It seems, I cant write in the security thread...
ispCP ist not affected in this point! Read more about the cgi-wrapper from
iscpCP and you would see this.

Thanks mate I was not sure if would affect


Please correct your thread.

If you would simple test your websites of one of these mistakes, try:
http://example.com/index.php?-s
One of your domains. Nothing freaky should happen, but if you see the
source of the php-file your server is in trouble!
The workaround with the rewrite-rule only fix this situation (probably the worst),
but there are other things that might be dangerous. hth.

tom

[ephigenie]

Thanks for the hint - I'll make it sticky in the security thread as it will affect a lot of people.