1<?php 2$_SERVER['BASE_PAGE'] = 'releases/5_4_2.php'; 3include_once __DIR__ . '/../include/prepend.inc'; 4site_header("PHP 5.4.2 Release Announcement"); 5?> 6 7<h1>PHP 5.4.2 Release Announcement</h1> 8 9<p>The PHP development team would like to announce the immediate 10availability of PHP 5.4.2. This release delivers a security fix.</p> 11 12<p>There is a vulnerability in certain CGI-based setups that has gone 13unnoticed for at least 8 years. <a 14href="http://tools.ietf.org/html/draft-robinson-www-interface-00#section-7">Section 157 of the CGI spec</a> states:</p> 16 17<cite> 18 Some systems support a method for supplying a array of strings to the 19 CGI script. This is only used in the case of an `indexed' query. This 20 is identified by a "GET" or "HEAD" HTTP request with a URL search 21 string not containing any unencoded "=" characters. 22</cite> 23 24<p>So requests that do not have a "=" in the query string are treated 25differently from those who do in some CGI implementations. For PHP this 26means that a request containing ?-s may dump the PHP source code for the 27page, but a request that has ?-s&a=1 is fine.</p> 28 29<p>A large number of sites run PHP as either an Apache module through 30mod_php or using php-fpm under nginx. Neither of these setups are 31vulnerable to this. Straight shebang-style CGI also does not appear to 32be vulnerable.</p> 33 34<p>If you are using Apache mod_cgi to run PHP you may be vulnerable. To see 35if you are just add ?-s to the end of any of your URLs. If you see your 36source code, you are vulnerable. If your site renders normally, you are not.</p> 37 38<p>Making a bad week worse, we had a bug in our bug system that toggled the 39private flag of a bug report to public on a comment to the bug report 40causing this issue to go public before we had time to test solutions to 41the level we would like.</p> 42 43<p>To fix this update to PHP 5.3.12 or PHP 5.4.2. We recognize that since 44this is a rather outdated way to run PHP it may not be feasible to 45upgrade these sites to a modern version of PHP, so an alternative is to 46configure your web server to not let these types of requests with query 47strings starting with a "-" and not containing a "=" through. Adding a 48rule like this should not break any sites. For Apache using mod_rewrite 49it would look like this:</p> 50 51<pre> 52 RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC] 53 RewriteRule ^(.*) $1? [L] 54</pre> 55 56<p>If you are writing your own rule, be sure to take the urlencoded ?%2ds 57version into account.</p> 58 59<p>For source downloads of PHP 5.4.2 please visit 60our <a href="/downloads.php">downloads page</a>, Windows binaries can be found 61on <a href="http://windows.php.net/download/">windows.php.net/download/</a>. A 62<a href="/ChangeLog-5.php#5.4.2">ChangeLog</a> exists.</p> 63 64<?php site_footer(); ?> 65
