oss-sec mailing list archives
PHP-CGI query string parameter vulnerability (CVE-2012-1823 / CVE-2012-2311, CERT VU#520827)
From: Solar Designer <solar () openwall com>
Date: Sat, 5 May 2012 00:22:19 +0400
Hi, I guess most of you have heard of this one already, yet it should be in here as well. The original issue was tracked as CERT VU#520827, CVE-2012-1823. PHP 5.4.2 and 5.3.12 were released with an incomplete fix, and apparently CVE-2012-2311 refers to that incomplete fix issue. http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/ http://www.php-security.net/archives/11-Mitigation-for-CVE-2012-1823-CVE-2012-2311.html http://www.kb.cert.org/vuls/id/520827 http://www.reddit.com/r/PHP/comments/t3pr8/how_serious_is_this/ http://www.reddit.com/r/netsec/comments/t4lxw/phpcgi_query_string_parameter_vulnerability_leads/ http://www.metasploitminute.com/2012/05/cve-2012-1823-php-cgi-bug.html http://www.opennet.ru/opennews/art.shtml?num=33765 (in Russian) Alexander
Current thread:
- PHP-CGI query string parameter vulnerability (CVE-2012-1823 / CVE-2012-2311, CERT VU#520827) Solar Designer (May 04)
- Re: PHP-CGI query string parameter vulnerability (CVE-2012-1823 / CVE-2012-2311, CERT VU#520827) Marcus Meissner (May 04)
- Re: PHP-CGI query string parameter vulnerability (CVE-2012-1823 / CVE-2012-2311, CERT VU#520827) Tomas Hoger (May 09)