oss-security - PHP-CGI query string parameter vulnerability (CVE-2012-1823 / CVE-2012-2311, CERT VU#520827)

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Message-ID: <20120504202219.GA1111@openwall.com>
Date: Sat, 5 May 2012 00:22:19 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: PHP-CGI query string parameter vulnerability (CVE-2012-1823 / CVE-2012-2311, CERT VU#520827)

Hi,

I guess most of you have heard of this one already, yet it should be in
here as well.  The original issue was tracked as CERT VU#520827,
CVE-2012-1823.  PHP 5.4.2 and 5.3.12 were released with an incomplete
fix, and apparently CVE-2012-2311 refers to that incomplete fix issue.

http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
http://www.php-security.net/archives/11-Mitigation-for-CVE-2012-1823-CVE-2012-2311.html
http://www.kb.cert.org/vuls/id/520827
http://www.reddit.com/r/PHP/comments/t3pr8/how_serious_is_this/
http://www.reddit.com/r/netsec/comments/t4lxw/phpcgi_query_string_parameter_vulnerability_leads/
http://www.metasploitminute.com/2012/05/cve-2012-1823-php-cgi-bug.html
http://www.opennet.ru/opennews/art.shtml?num=33765 (in Russian)

Alexander

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.