PHP patches actively exploited CGI vulnerability
The PHP Group has released PHP 5.4.3 and PHP 5.3.13 on Tuesday in order to address two remote code execution vulnerabilities, one of which is being actively exploited by hackers.
"The releases complete a fix for a vulnerability in CGI-based setups (CVE-2012-2311)," the PHP developers said in the release notes. Additionally, PHP 5.4.3 fixes a buffer overflow vulnerability, identified as CVE-2012-2329, in the apache_request_headers() function.
The CVE-2012-2311 vulnerability, also known as CVE-2012-1823, was publicly disclosed last week and prompted the PHP Group to release PHP 5.3.12 and PHP 5.4.2 as emergency security updates in order to resolve it, on May 3. Unfortunately, the initial patch proved to be ineffective against all variations of the exploit for CVE-2012-1823, and the manual workaround suggested by the PHP developers when releasing the emergency updates was easy to bypass as well.
- Wed, 2013-05-22 01:39
- Tue, 2013-05-21 11:34
- Mon, 2013-05-13 01:31