Recently Exposed PHP Hole's Official Fix Ineffective 240
wiredmikey writes "On Wednesday, a remote code execution vulnerability in PHP was accidentally exposed to the Web, prompting fears that it may be used to target vulnerable websites on a massive scale. The bug itself was traced back to 2004, and came to light during a recent CTF competition. 'When PHP is used in a CGI-based setup (such as Apache's mod_cgid), the php-cgi receives a processed query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to disclose source code and obtain arbitrary code execution,' a CERT advisory explains. PHP developers pushed a fix for the flaw, resulting in the release of PHP 5.3.12 and 5.4.2, but as it turns out it didn't actually remove the vulnerability."
I finally know what PHP stands for. (Score:5, Funny)
Re:Microsoft Sux! (Score:5, Funny)
I generally don't feed your kind, but if PHP was from Microsoft it would be left unpatched for Windows Server 2003, Windows Server 2008 would get a temporary patch blocking most of the functionalities and there would be an announcement that, due to technical restrictions, everybody needs to upgrade to Windows Server 2013 (release date : late December 2015) to get an actual fix. People running iis on XP, Vista or Win7 wouldn't get a patch at all. Of course, anybody running another server than iis would be left in the cold too.
On the positive side, it could be worse ... Apple would just ignore any mention of security problems and systematically erase any posts on their message board refering to them.
That being said : you might want to steer away from PHP anyway. it's a stinking pile of donkey dung
Cheers
Re:And (Score:0, Funny)
Ahhhh, the relief of dropping a big shit. Second to none.
This guy seems to know more about PHP than he's letting on.
Re:You shouldn't. Nobody should. (Score:2, Funny)
Re:You shouldn't. Nobody should. (Score:5, Funny)
Apache is old news. It's bloated and there are security advisories for it all the time. I can't believe anyone uses that anymore. I, like many other admins, start by writing a webserver using the bourne shell:
http://sprocket.io/blog/2008/03/writing-a-web-server-in-bourne-shell/ [sprocket.io]
Then, all of the web development is done using LISP. LISP is much cleaner to write a CGI program in than the bourne shell. Here's a CGI LISP tutorial that includes a comparison of the two:
http://cybertiggyr.com/lc/ [cybertiggyr.com]
No need to thank me for getting you up to speed on the latest web development techniques... but you're welcome.
Re:And (Score:5, Funny)
Out of interest, what does the "great track record" refer to? The security has historically been consistently horrific, the performance has historically been consistently horrific, the consistency of the language has been consistently horrific, the development of the language has been consistently horrific...
They do have a great track record at being consistently horrific...