An important PHP security update

PHP 5.3.12 and 5.4.2 have been released to fix a nasty security hole that was disclosed somewhat sooner than planned. Essentially, it allows any remote attacker to pass command-line arguments to the PHP interpreter behind a web page—but only in the (hopefully rare) setups where PHP is invoked via the CGI mechanism. "If you are using Apache mod_cgi to run PHP you may be vulnerable. To see if you are just add ?-s to the end of any of your URLs. If you see your source code, you are vulnerable. If your site renders normally, you are not."

Comments (12 posted)