PHP Security alert

[Timbalu]

http://www.php.net/archive/2012.php#id2012-05-03-1
Servers using Apache mod_cgi (php5-cgi) are affected by a vulnerability in certain CGI-based setups which shows a scripts sourcecode via a GET url.

As there is a official workaround which does not fit enough, you could use this from the heise(de) forum, as long as there aren't strong official PHP patches:

Code: Select all

# ---Code-Schnipsel für eine Apache Config-Datei, Start, v0.3---
# Workaround: PHP vulnerability, CGI based PHP call
# see http://www.php.net/archive/2012.php#id2012-05-03-1
RewriteEngine On
RewriteCond %{QUERY_STRING} "^(%20|\+){0,}(%2d|-)(.*)$" [NC]
RewriteRule (.*) $1?nice=try [L,NC]
# ---Code-Schnipsel für eine Apache Config-Datei, Ende, v0.3---

[yellowled]

Servers using Apache mod_cgi (php5-cgi) are affected by a vulnerability in certain CGI-based setups which shows a scripts sourcecode via a GET url.

Also note that FastCGI is usually not affected by this vulnerability, but depending on your hoster's setup, it could be affected. Apparently (I can't explain this better), you can run FastCGI in different ways. My old hoster offered to run it through an AddHandler statement in the user's .htaccess – that way, FastCGI PHP is still vulnerable to this (that's what their support says; I still have some client accounts there).

YL

[Timbalu]

Update: the patches by php.net do not solve the problem by now.
http://www.php-security.net/archives/11 ... -2311.html
advises this as a hot-fix:

Code: Select all

RewriteEngine on
RewriteCond %{QUERY_STRING} ^[^=]*$
RewriteCond %{QUERY_STRING} %2d|\- [NC]
RewriteRule .? - [F,L]