xref: /web-php/releases/5_3_12.php (revision f1cb7e74)
1<?php
2$_SERVER['BASE_PAGE'] = 'releases/5_3_12.php';
3include_once __DIR__ . '/../include/prepend.inc';
4site_header("PHP 5.3.12 Release Announcement");
5?>
6
7<h1>PHP 5.3.12 Release Announcement</h1>
8
9<p>The PHP development team would like to announce the immediate
10availability of PHP 5.3.12. This release delivers a security fix.</p>
11
12<p>There is a vulnerability in certain CGI-based setups that has gone
13unnoticed for at least 8 years. <a
14href="http://tools.ietf.org/html/draft-robinson-www-interface-00#section-7">Section
157 of the CGI spec</a> states:</p>
16
17<cite>
18   Some systems support a method for supplying a array of strings to the
19   CGI script. This is only used in the case of an `indexed' query. This
20   is identified by a "GET" or "HEAD" HTTP request with a URL search
21   string not containing any unencoded "=" characters.
22</cite>
23
24<p>So requests that do not have a "=" in the query string are treated
25differently from those who do in some CGI implementations. For PHP this
26means that a request containing ?-s may dump the PHP source code for the
27page, but a request that has ?-s&amp;a=1 is fine.</p>
28
29<p>A large number of sites run PHP as either an Apache module through
30mod_php or using php-fpm under nginx. Neither of these setups are
31vulnerable to this. Straight shebang-style CGI also does not appear to
32be vulnerable.</p>
33
34<p>If you are using Apache mod_cgi to run PHP you may be vulnerable. To see
35if you are just add ?-s to the end of any of your URLs. If you see your
36source code, you are vulnerable. If your site renders normally, you are not.</p>
37
38<p>Making a bad week worse, we had a bug in our bug system that toggled the
39private flag of a bug report to public on a comment to the bug report
40causing this issue to go public before we had time to test solutions to
41the level we would like.</p>
42
43<p>To fix this update to PHP 5.3.12 or PHP 5.4.2. We recognize that since
44this is a rather outdated way to run PHP it may not be feasible to
45upgrade these sites to a modern version of PHP, so an alternative is to
46configure your web server to not let these types of requests with query
47strings starting with a "-" and not containing a "=" through. Adding a
48rule like this should not break any sites. For Apache using mod_rewrite
49it would look like this:</p>
50
51<pre>
52    RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
53    RewriteRule ^(.*) $1? [L]
54</pre>
55
56<p>If you are writing your own rule, be sure to take the urlencoded ?%2ds
57version into account.</p>
58
59<p>For source downloads of PHP 5.3.12 please visit
60our <a href="/downloads.php">downloads page</a>, Windows binaries can be found
61on <a href="http://windows.php.net/download/">windows.php.net/download/</a>. A
62<a href="/ChangeLog-5.php#5.3.12">ChangeLog</a> exists.</p>
63
64<?php site_footer(); ?>
65