oss-sec mailing list archives
Re: PHP-CGI query string parameter vulnerability (CVE-2012-1823 / CVE-2012-2311, CERT VU#520827)
From: Marcus Meissner <meissner () suse de>
Date: Fri, 4 May 2012 22:57:18 +0200
On Sat, May 05, 2012 at 12:22:19AM +0400, Solar Designer wrote:
Hi, I guess most of you have heard of this one already, yet it should be in here as well. The original issue was tracked as CERT VU#520827, CVE-2012-1823. PHP 5.4.2 and 5.3.12 were released with an incomplete fix, and apparently CVE-2012-2311 refers to that incomplete fix issue. http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/ http://www.php-security.net/archives/11-Mitigation-for-CVE-2012-1823-CVE-2012-2311.html http://www.kb.cert.org/vuls/id/520827 http://www.reddit.com/r/PHP/comments/t3pr8/how_serious_is_this/ http://www.reddit.com/r/netsec/comments/t4lxw/phpcgi_query_string_parameter_vulnerability_leads/ http://www.metasploitminute.com/2012/05/cve-2012-1823-php-cgi-bug.html http://www.opennet.ru/opennews/art.shtml?num=33765 (in Russian)
What I find particulary interesting is that the reporters apparently notified PHP on January 17th. :/ Ciao, Marcus
Current thread:
- PHP-CGI query string parameter vulnerability (CVE-2012-1823 / CVE-2012-2311, CERT VU#520827) Solar Designer (May 04)
- Re: PHP-CGI query string parameter vulnerability (CVE-2012-1823 / CVE-2012-2311, CERT VU#520827) Marcus Meissner (May 04)
- Re: PHP-CGI query string parameter vulnerability (CVE-2012-1823 / CVE-2012-2311, CERT VU#520827) Tomas Hoger (May 09)