The PHP Group on Tuesday is planning to release another new version of the scripting language that’s designed to address, again, the remotely exploitable flaw that came to light last week. That bug, which requires no authentication, was supposed to have been fixed in new releases pushed out on May 3, but they didn’t completely address the problem.
After The PHP Group released new versions of the language, the research team that initially discovered the flaw warned that the fixes didn’t completely address the issue and still left sites vulnerable. The researchers, known as Eindbazen, discovered the vulnerability during a capture the flag competition earlier this year and were working with PHP developers and US-CERT on a fix. But the bug was disclosed accidentally when the PHP internal tracking system mistakenly marked the bug as public before a patch was ready.
The PHP Group on Friday released two new versions of the language, but Eindbazen said that they did not completely fix the problem.
“The new PHP release is buggy. You can use their mitigation mod_rewrite rule, but the patch and new released versions do not fix the problem. At the bottom we have added a version of the PHP patch that fixes the obvious problem with the patch merged in the recently released security update,” the team said.
Now, the PHP developers are planning to push out another new release on Tuesday to hopefully fix the flaw.
“PHP 5.3.12/5.4.2 do not fix all variations of the CGI issues described in CVE-2012-1823. It has also come to our attention that some sites use an insecure cgiwrapper script to run PHP. These scripts will use $* instead of “$@” to pass parameters to php-cgi which causes a number of issues. Again, people using mod_php or php-fpm are not affected,” The PHP Group said.
“Another set of releases are planned for Tuesday, May, 8th. These releases will fix the CGI flaw and another CGI-related issue in apache_request_header (5.4 only).”