Preconfigured packages of PHP 5.3.12 and PHP 5.4.2

 
Post new topic   Reply to topic    Aprelium Forum Index -> PHP
View previous topic :: View next topic  
Author Message
aprelium-support
-


Joined: 20 Feb 2009
Posts: 356

PostPosted: Mon May 07, 2012 3:20 pm    Post subject: Preconfigured packages of PHP 5.3.12 and PHP 5.4.2 Reply with quote

Dear all,

A severe flaw was discovered in some setups of PHP (see http://www.php.net/archive/2012.php#id2012-05-03-1 and http://www.php.net/archive/2012.php#id2012-05-06-1 .)

This flaw does not seem to affect PHP when used with the FastCGI interface (which is the recommended setup with Abyss Web Server); nevertheless, we have created two new preconfigured packages of the latest stable versions of PHP for Windows which fix this issue.

PHP 5.4.2 : http://www.aprelium.com/data/php542.exe
PHP 5.3.12 : http://www.aprelium.com/data/php5312.exe

Setup instructions are available in http://www.aprelium.com/abyssws/php5win.html .
_________________
Support Team
Aprelium - http://www.aprelium.com
Back to top View user's profile Send private message Visit poster's website
jxxaxxy
-


Joined: 11 Nov 2010
Posts: 42

PostPosted: Mon May 07, 2012 6:00 pm    Post subject: Reply with quote

Thank you will test it out later tonight.
Back to top View user's profile Send private message
DavidQ
-


Joined: 28 Jan 2009
Posts: 18

PostPosted: Tue May 08, 2012 11:50 am    Post subject: Reply with quote

Hi,

I just checked out the PHP news item relating to this and found there is a further problem and there will be another release today Tuesday the 8th of May. I thought you would like to know about it...

http://www.php.net/archive/2012.php#id2012-05-06-1

Quote:
PHP 5.3.12 and 5.4.2 and the CGI flaw (CVE-2012-1823)
[06-May-2012]

PHP 5.3.12/5.4.2 do not fix all variations of the CGI issues described in CVE-2012-1823. It has also come to our attention that some sites use an insecure cgiwrapper script to run PHP. These scripts will use $* instead of "$@" to pass parameters to php-cgi which causes a number of issues. Again, people using mod_php or php-fpm are not affected.

One way to address these CGI issues is to reject the request if the query string contains a '-' and no '='. It can be done using Apache's mod_rewrite like this:

RewriteCond %{QUERY_STRING} ^[^=]*$
RewriteCond %{QUERY_STRING} %2d|\- [NC]
RewriteRule .? - [F,L]
Note that this will block otherwise safe requests like ?top-40 so if you have query parameters that look like that, adjust your regex accordingly.

Another set of releases are planned for Tuesday, May, 8th. These releases will fix the CGI flaw and another CGI-related issue in apache_request_header (5.4 only).

We apologize for the inconvenience created with these releases and the (lack of) communication around them.
Back to top View user's profile Send private message
admin
Site Admin


Joined: 03 Mar 2002
Posts: 1295

PostPosted: Sun May 13, 2012 7:24 pm    Post subject: Reply with quote

DavidQ,

If you use PHP with the FastCGI on Abyss Web Server, you are safe and won't be affected by these issues.
_________________
Follow @abyssws on Twitter
Subscribe to our newsletter
_________________
Forum Administrator
Aprelium - https://aprelium.com
Back to top View user's profile Send private message
DavidQ
-


Joined: 28 Jan 2009
Posts: 18

PostPosted: Sat May 19, 2012 8:16 pm    Post subject: Reply with quote

Thanks for letting me know.

Cheers,

David
Back to top View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> PHP All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group