Recently Exposed PHP Hole's Official Fix Ineffective

wiredmikey writes "On Wednesday, a remote code execution vulnerability in PHP was accidentally exposed to the Web, prompting fears that it may be used to target vulnerable websites on a massive scale. The bug itself was traced back to 2004, and came to light during a recent CTF competition. 'When PHP is used in a CGI-based setup (such as Apache's mod_cgid), the php-cgi receives a processed query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to disclose source code and obtain arbitrary code execution,' a CERT advisory explains. PHP developers pushed a fix for the flaw, resulting in the release of PHP 5.3.12 and 5.4.2, but as it turns out it didn't actually remove the vulnerability."

Re:And

[jhoegl]

No licensing
stable
no licensing
great track record
no licensing
flexable
no licensing
modules for everything
no licensing

Re:You shouldn't. Nobody should.

[Anonymous Coward]

This SO hard.

This doesn't even touch on the horrible base code itself that is horribly flawed, errors that will happily continue being processed where any other normal language would scream your face off. (which could get seriously bad when used in exploits)

I think everyone here should have a good hard read of this.
PHP: A fractal of bad design
Long story short, most of the language is inconsistent with respect to most other languages.
Some errors you'd normally expect to be shown in other languages relating to processing data happily continue, no questions asked.
Horrible chains of flags that are dependent on each other that can change program behavior.
Inconsistent variable, array and any other handling of types.
=== is broken. As well as various other operators and access methods ( [] and {} )
Many others.

After using PHP for a while, I would seriously rather use ASP or VB. At least they are consistent. (but don't, really, don't use either)
The language is such a terrible hack of a language.
Use one of the many other far better and robust languages like the ones mentioned in parent.
PHP seriously isn't worth the effort. A language that isn't predictable and requires you to learn a hundred different quirks and hacks is just embarrassing.

Re:Cm'on

[nickdc]

The answer is Facebook, and I got a job by using this bug against them! see [facebook.com]?

Re:You shouldn't. Nobody should.

[rubycodez]

There is ignorance, all right, between your ears. All languages have security flaws and need constant patches. PHP has robust and well tested frameworks with libraries to sanitise potentially dangerous input. There is nothing that can be done in say Ruby (my favorite language) that cannot also be done well in PHP. PHP now even has closures, lamda, internal iterators....

Re:And

[drunkennewfiemidget]

> No licensing
Wrong [php.net]

> stable
This news post is proof that's wrong.

> great track record
Wrong. [veekun.com]

> flexable
About as flexible as your spelling.

> modules for everything
This is true. AND THEYRE ALL PART OF THE CORE API! ImageMagick, MySQL (THREE TIMES!), Curl, etc .. all in the core API.

PHP is a fucking disgrace and a blight on the world and needs to die a fiery death.

(Spend a few minutes reading the url I linked above at veekun.com for a wonderful break won on why PHP is a heinous pile of horseshit.)

Re:You shouldn't. Nobody should.

[TheRaven64]

Ruby's not that bad, if you can manage to avoid having any interaction with the Ruby community...