oss-sec mailing list archives
Re: PHP-CGI query string parameter vulnerability (CVE-2012-1823 / CVE-2012-2311, CERT VU#520827)
From: "Mike O'Connor" <mjo () dojo mi org>
Date: Fri, 4 May 2012 18:40:02 -0400
:On Sat, May 05, 2012 at 12:22:19AM +0400, Solar Designer wrote: :> Hi, :> :> I guess most of you have heard of this one already, yet it should be in :> here as well. The original issue was tracked as CERT VU#520827, :> CVE-2012-1823. PHP 5.4.2 and 5.3.12 were released with an incomplete :> fix, and apparently CVE-2012-2311 refers to that incomplete fix issue. :> :> http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/ :> http://www.php-security.net/archives/11-Mitigation-for-CVE-2012-1823-CVE-2012-2311.html :> http://www.kb.cert.org/vuls/id/520827 :> http://www.reddit.com/r/PHP/comments/t3pr8/how_serious_is_this/ :> http://www.reddit.com/r/netsec/comments/t4lxw/phpcgi_query_string_parameter_vulnerability_leads/ :> http://www.metasploitminute.com/2012/05/cve-2012-1823-php-cgi-bug.html :> http://www.opennet.ru/opennews/art.shtml?num=33765 (in Russian) : :What I find particulary interesting is that the reporters apparently notified PHP :on January 17th. :/ ...but the associated PHP bug appears to have only been opened on May 2nd. I wonder if it slipped through some cracks because it was being handled outside of "normal" bug processes. Hmmm... -- Michael J. O'Connor mjo () dojo mi org =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--= "Potluck supper: prayer and medication to follow." -Anguished English
Attachment:
_bin
Description:
Current thread:
- PHP-CGI query string parameter vulnerability (CVE-2012-1823 / CVE-2012-2311, CERT VU#520827) Solar Designer (May 04)
- Re: PHP-CGI query string parameter vulnerability (CVE-2012-1823 / CVE-2012-2311, CERT VU#520827) Marcus Meissner (May 04)
- Re: PHP-CGI query string parameter vulnerability (CVE-2012-1823 / CVE-2012-2311, CERT VU#520827) Mike O'Connor (May 04)
- Re: PHP-CGI query string parameter vulnerability (CVE-2012-1823 / CVE-2012-2311, CERT VU#520827) Tomas Hoger (May 09)
- Re: PHP-CGI query string parameter vulnerability (CVE-2012-1823 / CVE-2012-2311, CERT VU#520827) Marcus Meissner (May 04)