Hi, Is there need to worry that with suPHP? http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/ http://www.php-security.net/archives/11-Mitigation-for-CVE-2012-1823-CVE-2012-2311.html Did try but didn't manage to get sources with these: http://example.org/?-s http://example.org/?%20-s http://example.org/?+-s So suPHP is safe or I'm missing something?
Am 04.05.2012 17:36, schrieb Jani Ollikainen: > Is there need to worry that with suPHP? > > http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/ > http://www.php-security.net/archives/11-Mitigation-for-CVE-2012-1823-CVE-2012-2311.html > > So suPHP is safe or I'm missing something? suPHP should be safe, because, unlike the Apache CGI implementation, it will never pass any command-line arguments to the PHP interpreter.
On 4.5.2012 18:50, Sebastian Marsching wrote: >> So suPHP is safe or I'm missing something? > suPHP should be safe, because, unlike the Apache CGI implementation, it > will never pass any command-line arguments to the PHP interpreter. Hi, Ok. Sounds assuring. I was trying to understand how this happens as QUERY_STRING is supposed to be passed in CGI to program in environmental variable, not in command line arguments. So to me this problem sounds to be in Apache CGI implementation not in PHP. So probably Apache has something as idiotic as this: https://issues.apache.org/bugzilla/show_bug.cgi?id=41008 Ok, found: https://issues.apache.org/bugzilla/show_bug.cgi?id=13914 I can't understand the idea of passing query string as command line arguments as CGI has QUERY_STRING, but that's totally off-topic here.
suPHP is not vulnerable to that as PHP scripts are not ran directly from apache and they're not considered CGI scripts. suPHP is safe and you needn't worry. On 05/04/2012 11:36 AM, Jani Ollikainen wrote: > Hi, > > Is there need to worry that with suPHP? > > http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/ > http://www.php-security.net/archives/11-Mitigation-for-CVE-2012-1823-CVE-2012-2311.html > > > Did try but didn't manage to get sources with these: > http://example.org/?-s > http://example.org/?%20-s > http://example.org/?+-s > > So suPHP is safe or I'm missing something? > > > _______________________________________________ > suPHP mailing list > suPHP@... > https://lists.marsching.com/mailman/listinfo/suphp
RSS Feed