This website is deprecated, and remains online only for historic access to old issues and docs for historic versions of Virtualmin. It has been unmaintained for several years, and should not be relied on for up-to-date information. Please visit www.virtualmin.com instead.

Latest PHP 4.3.12 and cgi flaw

3 posts / 0 new

Topic locked

Last post

#1 Tue, 05/08/2012 - 08:15

DanMansfield

Latest PHP 4.3.12 and cgi flaw

I run Virtualmin Pro and site are set to FCGId (run as virtual server owner). Is the cgi flaw mentioned above related to how FCGI operates at all?

#2 Tue, 05/08/2012 - 13:19

andreychek

Howdy,

I assume you mean PHP 5.3.12 (rather than 4.3.12).

Does the flaw relate to FCGID? It doesn't appear that way -- reading the vulnerability explanation, it sounds like it's only present in CGI, and not in FCGID or FastCGI.

However, it sounds like it's exploitable by calling a PHP app, and passing in ?-s as a parameter -- so you could always test it.

Doing some testing of my own on a vulnerable version of PHP running CGI -- I don't seem to be able to trigger the flaw on a system running Virtualmin.

That may in part be due to how the Virtualmin CGI wrapper script works -- it doesn't pass in any parameters to the php-cgi binary.

It instead tells PHP what script to look for by setting an environment variable, and once that's set, it calls php-cgi without any parameters.

That setup may be preventing that flaw from being triggered, which requires certain parameters to be passed along to the PHP binary.

-Eric

#3 Wed, 05/09/2012 - 10:18

DanMansfield

yes, 5.3.13 as it is now! Thanks for the response.

Topic locked