PHP & CGI rázva nem keverve

http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/

Pár idézet:
"This is a detailed discussion of the generic PHP-CGI remote code execution bug we found while playing Nullcon CTF. We found that giving the query string ‘?-s’ somehow resulted in the “-s” command line argument being passed to php, resulting in source code disclosure. We explored this bug further and managed to improve our exploit to remote code execution, and trace the bug to a PHP commit in 2004."

"The vulnerability can only be exploited if the HTTP server follows a fairly obscure part of the CGI spec. Apache does this, but many other servers do not."

"13-01: Vulnerability discovered, used to pwn Nullcon Hackim 2012 scoreboard
13-01: We discuss the issue with Nullcon admins, find out it is a php 0day
17-01: We contact security kukac php dot net with a full report and a suggested patch
01-02: We ask PHP to confirm receipt, state our intent to hand off the vulnerability to CERT if progress is not made
01-02: PHP forwards vulnerability report to PHP CGI maintainer
23-02: CERT acknowledges receipt of vulnerability and attempts to contact PHP.
05-04: We ask CERT for a status update
05-04: CERT responds saying that PHP is still working on a fix
20-04: We ask CERT to proceed with disclosure unless a patch is imminent
26-04: CERT prepares draft advisory.
02-05: CERT notifies us that PHP is testing a patch and would like more time. we agree.
03-05: Someone posts the internal PHP bug to reddit /r/netsec /r/opensource and /r/technology. It was apparently accidentaly marked public."

Csak én érzem mókásnak a PHP reakcióidejét a problémára?

( uid_194 | 2012. 05. 03., cs – 21:44 )

Nehany korabbi problemat tekintve szerintem egesz korrekt reakcioido, magukhoz kepest. >;)

--
|8]

( snq- | 2012. 05. 03., cs – 22:50 )

>> the “-s” command line argument being passed to php, resulting in source code disclosure

ez a megvalósult floss-álom, aki ezt megpatchezi az reakciós ellenforradalmista elem