[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ale] OT: Why Big Sites Run Drupal

Subject: [ale] OT: Why Big Sites Run Drupal
From: mike at trausch.us (mike at trausch.us)
Date: Fri, 04 May 2012 16:36:54 -0400
In-reply-to: <CAEo=5PwPXrTxDYGFLcFh6ZmiWmsVLaTw6JrahUT7Ydtk-uMXnw@mail.gmail.com>
References: <CABo2fvB0be53U8jZyqE_9ueM32Mz4g6jsiXYbuHWWWRTLKYo7A@mail.gmail.com> <CAMBGJbG_cpm9BH3-Asc+eHpEmmm+EONz2uNPTdT=xkuMheHmWw@mail.gmail.com> <[email protected]> <CAEo=5PwPXrTxDYGFLcFh6ZmiWmsVLaTw6JrahUT7Ydtk-uMXnw@mail.gmail.com>

On 05/04/2012 03:23 PM, Jim Kinney wrote:
> PHP = Page Hijack Protocol

This just in from Ubuntu:

> ==========================================================================
> Ubuntu Security Notice USN-1437-1
> May 04, 2012
> 
> php5 vulnerability
> ==========================================================================
> 
> A security issue affects these releases of Ubuntu and its derivatives:
> 
> - Ubuntu 12.04 LTS
> - Ubuntu 11.10
> - Ubuntu 11.04
> - Ubuntu 10.04 LTS
> - Ubuntu 8.04 LTS
> 
> Summary:
> 
> Standalone PHP CGI scripts could be made to execute arbitrary code with
> the privilege of the web server.
> 
> Software Description:
> - php5: HTML-embedded scripting language interpreter
> 
> Details:
> 
> It was discovered that PHP, when used as a stand alone CGI processor
> for the Apache Web Server, did not properly parse and filter query
> strings. This could allow a remote attacker to execute arbitrary code
> running with the privilege of the web server. Configurations using
> mod_php5 and FastCGI were not vulnerable.
> 
> This update addresses the issue when the PHP CGI interpreter
> is configured using mod_cgi and mod_actions as described
> in /usr/share/doc/php5-cgi/README.Debian.gz; however,
> if an alternate configuration is used to enable PHP CGI
> processing, it should be reviewed to ensure that command line
> arguments cannot be passed to the PHP interpreter. Please see
> http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-2311.html
> for more details and potential mitigation approaches.
> 
> Update instructions:
> 
> The problem can be corrected by updating your system to the following
> package versions:
>  [...]

Upshot is that *this* one doesn't actually affect 95%+ of the
installations out there; therefore, its impact is relatively light
compared to most of them.

	--- Mike

-- 
A man who reasons deliberately, manages it better after studying Logic
than he could before, if he is sincere about it and has common sense.
                                   --- Carveth Read, ?Logic?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 729 bytes
Desc: OpenPGP digital signature
Url : http://mail.ale.org/pipermail/ale/attachments/20120504/d05d94f1/attachment.bin

References:
- [ale] OT: Why Big Sites Run Drupal
  - From: bugyatl at gmail.com (Boris Borisov)
- [ale] OT: Why Big Sites Run Drupal
  - From: mike at trausch.us (Michael Trausch)
- [ale] OT: Why Big Sites Run Drupal
  - From: JLightner at water.com (Lightner, Jeff)
- [ale] OT: Why Big Sites Run Drupal
  - From: jim.kinney at gmail.com (Jim Kinney)

Prev by Date: [ale] I can't quit laughing
Next by Date: [ale] ot - FM transmitter makes good GPS jammer
Previous by thread: [ale] OT: Why Big Sites Run Drupal
Next by thread: [ale] OT: Why Big Sites Run Drupal
Index(es):
- Date
- Thread