Announcement of PHP security vulnerability (CVE-2012-1823)

One of our sysadmins picked up the disclosure of this PHP vulnerability last week. It’s kind of important, so we thought we’d share it with you.

Eindbazen PHP-CGI advisory (CVE-2012-1823)

It’s interesting because a default mod_php installation isn’t vulnerable, but a fairly common deployment technique using php-cgi is (because it’s sane and not a gaping security hole the size of a hallway).

Details are still up in the air. There’s a couple of official updates for PHP, but it’s been shown that they do not fix the problem. As a result, people have come up with a few mitigation techniques that will dodge this bullet until it’s properly fixed.

To clarify our position, Anchor uses php-cgi and immediately took steps to mitigate the threat. We’ve written about our use of php-cgi in the past, you should have a read if you’re interested in the how-and-why.

If you have any questions about your hosting and what this means for you, feel free to drop us a mail at support@anchor.net.au, or call us on 1300-883-979 (+61-2-8296-5111 from outside Australia).