PHP security warning

Step by step focused effective Web Development courses.

PHP security warning

Postby Vincent » March 1st, 2013, 05:10:26

    These days a serious security vulnerability has been discovered in PHP, all versions since 8 years ago. The vulnerability has nothing to do with SMF and cannot be addressed by us, because the forum code doesn't even get to be executed. It can only be patched or mitigated at server level. However, we are bringing it to your attention because it's critical (remote code execution), for you to make sure to test if your site is affected (hopefully not), and if necessary, notify your host and try to mitigate it.

    The issue is reported on a very particular configuration, PHP ran as CGI script (not FCGI), on Apache, rather unusual these days. If your host is running it, however, then it is possible that arbitrary code can be executed, compromising your sites. This does NOT apply to the most common PHP setups these days (PHP ran by mod_php, or fast-cgi are NOT affected), so it is possible you may not be affected. We would advise however, to test if your site is vulnerable, and take measures in that case.

    How to test if your sites are vulnerable: (please see this link)
    Add ?-s at the end of any URL of a PHP script, like: yoursite/index.php?-s
    If you see PHP code, your PHP is vulnerable.
    If you see your page normally, your site is not affected.

    How to mitigate the issue:
    If your site is affected, and you may have mod_rewrite available and enabled in Apache, then please add to .htaccess the rewrite rule:

    Code: Select all
    RewriteEngine on

    RewriteCond %{QUERY_STRING} ^[^=]*$
    RewriteCond %{QUERY_STRING} %2d|\- [NC]
    RewriteRule .? - [F,L]

    Also, if you can verify the issue is happening for your site, please do notify your host immediately, including a link to the issue.
    They can make sure to either (or all): change their configuration, apply the .htaccess patch to all sites, and, when the PHP issue will be fixed, to upgrade their PHP installation.

    Please find here the current (already outdated) official report from PHP:
    Note in addition, that the new versions released at the time of this post are still vulnerable, the release of PHP 5.3.12 and 5.4.2 has been rushed by the accidental disclosure of the bug report they were working on, and the patch is still faulty. The code committed to Github for PHP 5.3.12 is clearly buggy, and I'd expect PHP to release another patch anytime now. When they do, it is highly recommended that servers running this kind of configuration upgrade their PHP or change this configuration altogether.
W̛̲̼͚͖h͎̯͇ͬ̉̓̉ͭ͆aͣ̋̓͠t͋ ̜͔̤̠̻̯̝̅̊͋ͬ̍͢â̶ͧ͊̀r͍̞̯̲͎̣̀̿͌̿̂ͅȇ͒̓̈́̄̋̉҉̜̲ ̡͎̯̲̼̟̂ͅs̱͉͚̼͌o̶͒̎̐͋ͥm̷̦͎ͣ̄̿ė̼̺̰̿ͦ̀ ̖͉̞̝̠ͤͧ̉̾̌̎͗ḡ͖̦̘̜̩͔ͤ͜o͕͈̥̦͖͛̕o̧̪̘̱̼ͨͨ̏̌d̫̫̣̪ ̢̩͈̙̬ͤ͑D̡̖̪̠̖̺͋̌̚u̡̱ͨͮͬ͑̌ͬ̎b̷̘̍̄̆̂̑̅s̳͖̪̉͢ͅt̢̩͈̗͋ͅe̯̭̩̣̗͉ͧ̚͝p͙̼̝̮͕̿̓͋ͫ͐̽ͩ ͇̫̤ͤͩ͐ͩ̋s̶̺̻ȍ̶̻̰͔̫͎̭͎ͥͭ̽ͣn͔̼̩̠̦͇͐g̛̱̫̗̑͗ͥ̂ͣ͗s̳͓̞̠͍̔͆̽!̶͑?̶͖͎ | Palavas

Vincent Sobieski, who goes by the stage name "Vincentgbr", was born in Bulgaria and raised in Great Britain. Vincent grew up with a lot of passion in music which gave him the determination to start his DJ course at Point Blank London at the age of 21. He received training from Ben Bristow, at which he succeeded in the course and obtained his DJ certificate.

After gaining 6 years DJ experience, "Vincent" recently got involved with TribalDanceFR and is a weekly resident DJ for them at Club ORBILUX.

"Vincent" has also received offers to play in various Clubs in France, these include Le Balajo, La Java, La Palace, Les Etoiles, etc.

At the beginning of 2009, he started to pursue his interest in producing music. In collaboration with professional producer and friend (Sam Hunwicke), he made his 1st track called (…) and shortly after, 2nd track "DJs The Beat".
He is also looking forward to making his own album in 2012, which promises to be really interesting. He is almost certainly going to be very busy for the future....

[+/-] Copyright
User avatar
Palavas VIP
Palavas VIP
Posts: 235

Return to Development

Who is online

Users browsing this forum: No registered users and 1 guest