[ale] OT: Why Big Sites Run Drupal

mike at trausch.us mike at trausch.us
Fri May 4 16:36:54 EDT 2012 

On 05/04/2012 03:23 PM, Jim Kinney wrote:
> PHP = Page Hijack Protocol

This just in from Ubuntu:

> ==========================================================================
> Ubuntu Security Notice USN-1437-1
> May 04, 2012
> 
> php5 vulnerability
> ==========================================================================
> 
> A security issue affects these releases of Ubuntu and its derivatives:
> 
> - Ubuntu 12.04 LTS
> - Ubuntu 11.10
> - Ubuntu 11.04
> - Ubuntu 10.04 LTS
> - Ubuntu 8.04 LTS
> 
> Summary:
> 
> Standalone PHP CGI scripts could be made to execute arbitrary code with
> the privilege of the web server.
> 
> Software Description:
> - php5: HTML-embedded scripting language interpreter
> 
> Details:
> 
> It was discovered that PHP, when used as a stand alone CGI processor
> for the Apache Web Server, did not properly parse and filter query
> strings. This could allow a remote attacker to execute arbitrary code
> running with the privilege of the web server. Configurations using
> mod_php5 and FastCGI were not vulnerable.
> 
> This update addresses the issue when the PHP CGI interpreter
> is configured using mod_cgi and mod_actions as described
> in /usr/share/doc/php5-cgi/README.Debian.gz; however,
> if an alternate configuration is used to enable PHP CGI
> processing, it should be reviewed to ensure that command line
> arguments cannot be passed to the PHP interpreter. Please see
> http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-2311.html
> for more details and potential mitigation approaches.
> 
> Update instructions:
> 
> The problem can be corrected by updating your system to the following
> package versions:
>  [...]

Upshot is that *this* one doesn't actually affect 95%+ of the
installations out there; therefore, its impact is relatively light
compared to most of them.

	--- Mike

-- 
A man who reasons deliberately, manages it better after studying Logic
than he could before, if he is sincere about it and has common sense.
                                   --- Carveth Read, “Logic”

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 729 bytes
Desc: OpenPGP digital signature
Url : http://mail.ale.org/pipermail/ale/attachments/20120504/d05d94f1/attachment.bin

More information about the Ale mailing list