Latest PHP 4.3.12 and cgi flaw

I run Virtualmin Pro and site are set to FCGId (run as virtual server owner).
Is the cgi flaw mentioned above related to how FCGI operates at all?


I assume you mean PHP 5.3.12 (rather than 4.3.12).

Does the flaw relate to FCGID? It doesn’t appear that way – reading the vulnerability explanation, it sounds like it’s only present in CGI, and not in FCGID or FastCGI.

However, it sounds like it’s exploitable by calling a PHP app, and passing in ?-s as a parameter – so you could always test it.

Doing some testing of my own on a vulnerable version of PHP running CGI – I don’t seem to be able to trigger the flaw on a system running Virtualmin.

That may in part be due to how the Virtualmin CGI wrapper script works – it doesn’t pass in any parameters to the php-cgi binary.

It instead tells PHP what script to look for by setting an environment variable, and once that’s set, it calls php-cgi without any parameters.

That setup may be preventing that flaw from being triggered, which requires certain parameters to be passed along to the PHP binary.


yes, 5.3.13 as it is now!
Thanks for the response.