Recently Exposed PHP Hole's Official Fix Ineffective

wiredmikey writes "On Wednesday, a remote code execution vulnerability in PHP was accidentally exposed to the Web, prompting fears that it may be used to target vulnerable websites on a massive scale. The bug itself was traced back to 2004, and came to light during a recent CTF competition. 'When PHP is used in a CGI-based setup (such as Apache's mod_cgid), the php-cgi receives a processed query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to disclose source code and obtain arbitrary code execution,' a CERT advisory explains. PHP developers pushed a fix for the flaw, resulting in the release of PHP 5.3.12 and 5.4.2, but as it turns out it didn't actually remove the vulnerability."

Re:And

[Richard_at_work]

Out of interest, what does the "great track record" refer to? The security has historically been consistently horrific, the performance has historically been consistently horrific, the consistency of the language has been consistently horrific, the development of the language has been consistently horrific...

I do miss the documentation, now that was awesome. But I don't miss the rest of it.

Re:You shouldn't. Nobody should.

[digitalaudiorock]

Yea, this PHP bashing here gets really old. Sure, the fact that it's a high level language attracts some clueless programmers that write bad code, but that's not the languages fault. I happen to be in a position right now where I do most of my coding in PHP. There are in fact things about it that drive me crazy, but the fact is that you can write great stuff with PHP and you can do it very quickly. As far as this exploit goes, who actually uses PHP in cgi mode rather than as an Apache module?

Re:You shouldn't. Nobody should.

[Just+Some+Guy]

as long as you escape your strings before passing them to MySQL

You know, I only hear PHP developers saying stupid shit like that. No one in Python talks about escaping strings (unless they're writing database libraries). Rubyists don't escape strings. Perl monks sure as hell don't escape strings. VB(\.Net)? programmers might escape strings, but we don't really count them. No one escapes strings anymore because it's stupid, error prone, and dangerous.

And yet PHP coderz still do it. Why? Oh, right: because the official docs teach them to:

// Formulate Query
// This is the best way to perform an SQL query
// For more examples, see mysql_real_escape_string()
$query = sprintf("SELECT firstname, lastname, address, age FROM friends
WHERE firstname='%s' AND lastname='%s'",
mysql_real_escape_string($firstname),
mysql_real_escape_string($lastname));

// Perform Query
$result = mysql_query($query);

Fucking hell. In 2012, we're still exposing newbies to that idiocy, and when they do it poorly and some kid in Latvia owns a major PHP project as a result, defenders jump out to yell "it's the programmer, not the language!"