I run Virtualmin Pro and site are set to FCGId (run as virtual server owner).
Is the cgi flaw mentioned above related to how FCGI operates at all?
Howdy,
I assume you mean PHP 5.3.12 (rather than 4.3.12).
Does the flaw relate to FCGID? It doesn’t appear that way – reading the vulnerability explanation, it sounds like it’s only present in CGI, and not in FCGID or FastCGI.
However, it sounds like it’s exploitable by calling a PHP app, and passing in ?-s as a parameter – so you could always test it.
Doing some testing of my own on a vulnerable version of PHP running CGI – I don’t seem to be able to trigger the flaw on a system running Virtualmin.
That may in part be due to how the Virtualmin CGI wrapper script works – it doesn’t pass in any parameters to the php-cgi binary.
It instead tells PHP what script to look for by setting an environment variable, and once that’s set, it calls php-cgi without any parameters.
That setup may be preventing that flaw from being triggered, which requires certain parameters to be passed along to the PHP binary.
-Eric
yes, 5.3.13 as it is now!
Thanks for the response.