Re: PHP-CGI query string parameter vulnerability (CVE-2012-1823 / CVE-2012-2311, CERT VU#520827)

["Mike O'Connor" <mjo () dojo mi org>]

:On Sat, May 05, 2012 at 12:22:19AM +0400, Solar Designer wrote:
:> Hi,
:> 
:> I guess most of you have heard of this one already, yet it should be in
:> here as well.  The original issue was tracked as CERT VU#520827,
:> CVE-2012-1823.  PHP 5.4.2 and 5.3.12 were released with an incomplete
:> fix, and apparently CVE-2012-2311 refers to that incomplete fix issue.
:> 
:> http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
:> http://www.php-security.net/archives/11-Mitigation-for-CVE-2012-1823-CVE-2012-2311.html
:> http://www.kb.cert.org/vuls/id/520827
:> http://www.reddit.com/r/PHP/comments/t3pr8/how_serious_is_this/
:> http://www.reddit.com/r/netsec/comments/t4lxw/phpcgi_query_string_parameter_vulnerability_leads/
:> http://www.metasploitminute.com/2012/05/cve-2012-1823-php-cgi-bug.html
:> http://www.opennet.ru/opennews/art.shtml?num=33765 (in Russian)
:
:What I find particulary interesting is that the reporters apparently notified PHP
:on January 17th. :/

...but the associated PHP bug appears to have only been opened on May
2nd.  I wonder if it slipped through some cracks because it was being
handled outside of "normal" bug processes.  Hmmm...


-- 
 Michael J. O'Connor                                          mjo () dojo mi org
 =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=
"Potluck supper: prayer and medication to follow."         -Anguished English

Attachment: _bin
Description: