View previous topic :: View next topic |
Author |
Message |
aprelium-support -
Joined: 20 Feb 2009 Posts: 356
|
|
Back to top |
|
|
jxxaxxy -
Joined: 11 Nov 2010 Posts: 42
|
Posted: Mon May 07, 2012 6:00 pm Post subject: |
|
|
Thank you will test it out later tonight. |
|
Back to top |
|
|
DavidQ -
Joined: 28 Jan 2009 Posts: 18
|
Posted: Tue May 08, 2012 11:50 am Post subject: |
|
|
Hi,
I just checked out the PHP news item relating to this and found there is a further problem and there will be another release today Tuesday the 8th of May. I thought you would like to know about it...
http://www.php.net/archive/2012.php#id2012-05-06-1
Quote: | PHP 5.3.12 and 5.4.2 and the CGI flaw (CVE-2012-1823)
[06-May-2012]
PHP 5.3.12/5.4.2 do not fix all variations of the CGI issues described in CVE-2012-1823. It has also come to our attention that some sites use an insecure cgiwrapper script to run PHP. These scripts will use $* instead of "$@" to pass parameters to php-cgi which causes a number of issues. Again, people using mod_php or php-fpm are not affected.
One way to address these CGI issues is to reject the request if the query string contains a '-' and no '='. It can be done using Apache's mod_rewrite like this:
RewriteCond %{QUERY_STRING} ^[^=]*$
RewriteCond %{QUERY_STRING} %2d|\- [NC]
RewriteRule .? - [F,L]
Note that this will block otherwise safe requests like ?top-40 so if you have query parameters that look like that, adjust your regex accordingly.
Another set of releases are planned for Tuesday, May, 8th. These releases will fix the CGI flaw and another CGI-related issue in apache_request_header (5.4 only).
We apologize for the inconvenience created with these releases and the (lack of) communication around them.
|
|
|
Back to top |
|
|
admin Site Admin
Joined: 03 Mar 2002 Posts: 1296
|
Posted: Sun May 13, 2012 7:24 pm Post subject: |
|
|
DavidQ,
If you use PHP with the FastCGI on Abyss Web Server, you are safe and won't be affected by these issues. _________________ Follow @abyssws on Twitter
Subscribe to our newsletter
_________________
Forum Administrator
Aprelium - https://aprelium.com |
|
Back to top |
|
|
DavidQ -
Joined: 28 Jan 2009 Posts: 18
|
Posted: Sat May 19, 2012 8:16 pm Post subject: |
|
|
Thanks for letting me know.
Cheers,
David |
|
Back to top |
|
|
|