It is one thing to be fast with an update for a security flaw, however, the caveat for that is it has to be right.
That is what makes the updates to PHP versions 5.3.12 and 5.4.2 released on Thursday an issue. They do not fully resolve the vulnerability accidentally disclosed on Reddit, according to the person that discovered the flaw.
The bug in the way CGI and PHP interact with each other leads to a situation where attackers can execute code on affected servers. The issue remained undiscovered for eight years.
The best protection offered so far is to set up filter rules on the web server. The RewriteRule workaround described on PHP.net is inadequate, said security expert Christopher Kunz. He suggests a slightly modified form of the rule as an alternative.
Because the PHP interpreter for CGI does not comply with the specifications laid out in the CGI standard, URL parameters can, under certain circumstances, pass to PHP as command line arguments. Servers that run PHP in CGI mode suffer from the vulnerability. FastCGI PHP installations do not.
The PHP patch should ensure parameter strings beginning with a minus sign and do not contain an equal sign are ignored. According to the discoverer of the vulnerability, that is an easy bypass. A new, slightly modified patch which uses query_string instead of decoded_query_string for one comparison has already gone into the bug tracking system.
Users can determine whether they are affected by the bug by appending the string ?-s to a URL. If the server returns PHP source code, there should be rapid action. A Metasploit module which opens a remote shell for executing arbitrary code on vulnerable servers is already available.