Slashdot Mirror

← Back to Stories (view on slashdot.org)

Recently Exposed PHP Hole's Official Fix Ineffective

Posted by timothy on from the considered-busted dept.

wiredmikey writes "On Wednesday, a remote code execution vulnerability in PHP was accidentally exposed to the Web, prompting fears that it may be used to target vulnerable websites on a massive scale. The bug itself was traced back to 2004, and came to light during a recent CTF competition. 'When PHP is used in a CGI-based setup (such as Apache's mod_cgid), the php-cgi receives a processed query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to disclose source code and obtain arbitrary code execution,' a CERT advisory explains. PHP developers pushed a fix for the flaw, resulting in the release of PHP 5.3.12 and 5.4.2, but as it turns out it didn't actually remove the vulnerability."

6 of 240 comments (clear)

  1. Re:And by jhoegl · · Score: 2, Interesting

    No licensing
    stable
    no licensing
    great track record
    no licensing
    flexable
    no licensing
    modules for everything
    no licensing

  2. Re:You shouldn't. Nobody should. by Anonymous Coward · · Score: 0, Interesting

    This SO hard.

    This doesn't even touch on the horrible base code itself that is horribly flawed, errors that will happily continue being processed where any other normal language would scream your face off. (which could get seriously bad when used in exploits)

    I think everyone here should have a good hard read of this.
    PHP: A fractal of bad design
    Long story short, most of the language is inconsistent with respect to most other languages.
    Some errors you'd normally expect to be shown in other languages relating to processing data happily continue, no questions asked.
    Horrible chains of flags that are dependent on each other that can change program behavior.
    Inconsistent variable, array and any other handling of types.
    === is broken. As well as various other operators and access methods ( [] and {} )
    Many others.

    After using PHP for a while, I would seriously rather use ASP or VB. At least they are consistent. (but don't, really, don't use either)
    The language is such a terrible hack of a language.
    Use one of the many other far better and robust languages like the ones mentioned in parent.
    PHP seriously isn't worth the effort. A language that isn't predictable and requires you to learn a hundred different quirks and hacks is just embarrassing.

  3. Re:Cm'on by nickdc · · Score: 5, Interesting

    The answer is Facebook, and I got a job by using this bug against them! see?

  4. Re:You shouldn't. Nobody should. by rubycodez · · Score: 4, Interesting

    There is ignorance, all right, between your ears. All languages have security flaws and need constant patches. PHP has robust and well tested frameworks with libraries to sanitise potentially dangerous input. There is nothing that can be done in say Ruby (my favorite language) that cannot also be done well in PHP. PHP now even has closures, lamda, internal iterators....

  5. Re:And by drunkennewfiemidget · · Score: 5, Interesting

    > No licensing
    Wrong

    > stable
    This news post is proof that's wrong.

    > great track record
    Wrong.

    > flexable
    About as flexible as your spelling.

    > modules for everything
    This is true. AND THEYRE ALL PART OF THE CORE API! ImageMagick, MySQL (THREE TIMES!), Curl, etc .. all in the core API.

    PHP is a fucking disgrace and a blight on the world and needs to die a fiery death.

    (Spend a few minutes reading the url I linked above at veekun.com for a wonderful break won on why PHP is a heinous pile of horseshit.)

  6. Re:You shouldn't. Nobody should. by TheRaven64 · · Score: 1, Interesting

    Ruby's not that bad, if you can manage to avoid having any interaction with the Ruby community...

    --
    I am TheRaven on Soylent News