For the second time in less than a week, the developers of PHP have released new versions of the language that include a fix for the remotely exploitable vulnerability that was disclosed last week. The group is encouraging users to upgrade to PHP 5.4.3 or 5.3.13 immediately.
The vulnerability affects PHP sites in CGI-based setups and can enable an attacker to get access to the site’s source code by passing certain queries to the PHP binary as command-line arguments. The bug was disclosed last week before a patch was available through a mistake in the PHP Group’s internal bug-handling system.
“The PHP development team would like to announce the immediate availability of PHP 5.4.3 and PHP 5.3.13. All users are encouraged to upgrade to PHP 5.4.3 or PHP 5.3.13
The releases complete a fix for a vulnerability in CGI-based setups (CVE-2012-2311). Note: mod_php and php-fpm are not vulnerable to this attack,” the PHP developers said.
“PHP 5.4.3 fixes a buffer overflow vulnerability in the apache_request_headers() (CVE-2012-2329). The PHP 5.3 series is not vulnerable to this issue.”
The PHP Group released a fix for the bug late last week, but the researchers who discovered the flaw originally found that the new versions didn’t completely address the problem and still left vulnerable sites exposed to attack. There are mitigations available for the bug, as explained by the Eindbazen team that found the flaw, but users should upgrade their installations as soon as they can.