PHP Group to try again to fix vulnerability


( -- The PHP group, under fire for prematurely pushing out a patch to fix a recently uncovered vulnerability in the language, says it is working on another patch to fix the problem as web site owners scramble to ensure the integrity of their sites. Fortunately, as dire as that sounds, few sites appear to be at risk because the vulnerability only exists for those running in Common Gateway Interface (CGI) mode.

PHP is a scripting language (it used to stand for “Personal Home Page” but now means PHP: Hypertext Processor) used by servers to provide web services and can be embedded into HTML documents rather than forcing programmers to call external routines. Doing so makes creating and maintaining pages much simpler, though as this latest shows, it can also be less secure.

In this case, the problem is not so much that a vulnerability was found, but that it was accidently made public by some unknown person at Eindbazen (the group that found the vulnerability) publishing it to Reddit (a social news website). That caused nefarious types to work up code that could easily test a web site for the vulnerability and then exploit it when found.

The vulnerability is that for websites running in CGI mode, it was found that a URL passed with a “-“ character could be used as a command string causing the site to carry out instructions via switches, e.g. -c, -s, -d. By doing so, hackers could gain a copy of index.php for example. Worse of course, they could also gain admittance to user data or be used to carry out instructions such as to a cause denial of service. To be clear, the problem is not that command strings can be passed to a , but that switches can be passed that cause commands to run on the server. Most servers allow characters to be passed as data strings for interpretation by PHP parsing.

Upon hearing of the vulnerability being made public, the PHP Group rushed to push out a patch. Unfortunately, the patch has proven to be ineffective, which has left some sites more vulnerable than before as owners ceased working on protection measures believing their server was safe.

Moving forward, the PHP Group has advised site owners to update their PHP version and then to test their site themselves to see if they are at risk. If so, they suggest those site owners contact Eindbazen for some possible remedies that can be used until a permanent fix is ready for distribution.

Explore further

IBM Plugs Two Holes in Lotus Domino Security

More information:

© 2012 Phys.Org

Citation: PHP Group to try again to fix vulnerability (2012, May 8) retrieved 16 October 2019 from
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.

Feedback to editors

User comments

May 08, 2012
Have you ever programmed, Vendicar?
It's not easy. Especially when working with a ton of other people. And it's impossible to test every input a user can come up with... You should at least consider these things prior to claiming mental defects..

May 09, 2012
Hello world, doesn't count.
If you write alot of code, you will eventually slip up. You are human, Vendicar.
DB hacking is the most successful these days for a reason. Facebook, google, nsa, FBI all of these have experienced breaches the past few years, and you can do better? Enlighten me, Captain obvious.

May 09, 2012
It should be noted that the recursive acronym "PHP" means "PHP: Hypertext Preprocessor", not "processor" as the article states.

Vendicar, you can't build a bullet-proof system. The bigger it gets, the more likely that there will be a vulnerability left behind. This is even more likely when you have many contributors to your project. However, you can patch things properly. You can do your best and you can run in a sand-box, run with least privileges and keep it simple. All of these approaches lead to secure software.

Even the mighty developers at Google admit that they *might* have security flaws in their software. Chrome's sandboxing is evidence enough.

May 09, 2012
Even the code behind the Physorg comments has vulnerabilities. Its been known for while that if one wanted to make a post as another user, its doable. However, (covering own arse), I will not demonstrate it (and never have used it). What i can say is that often untrapped errors lead to the information that is required to enable unwanted access. So, I would agree with Vendi, its simply lazy programming.

May 09, 2012
2012 and programmers can't properly parse strings, clear buffers, avoid pointer overflows, etc. etc. etc.

Same mistakes over and over and over again.

What is wrong with these people? Are they mentally defective?

It's not the same people making the same mistakes over and over. Just as we all fall down as kids even though our parents tell us to stop running/jumping over things people make mistakes, learn from them and move on. No one is born with decades of programming experience built in so if that's important to you then limit yourself to running only software you made. No one has to put up with intolerance like yours.

May 13, 2012
OpenAL and fmod works under windows.

May 13, 2012
Another reason to use the .Net framework - a proper web programming framework, that is compiled properly and runs on a proper server technology.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more