Our customers are protected against the CVE-2012-1823 PHP security bug
There’s been a lot of talk in the last few days about a nasty PHP security bug that allows “hackers” to compromise some Web sites that use the PHP scripting language.
Our customers are not vulnerable to this problem because of the way PHP is set up on our servers. You don’t need to worry about it.
Since this is a big deal, we’ve checked all the possibilities very carefully:
- PHP scripts that run without FastCGI;
- PHP scripts using FastCGI;
- Custom compiled PHP versions that use our “compile-and-install-php” shortcuts.
None of these are susceptible to the bug. The first and last aren’t vulnerable for the reason listed in comment 38 of that page (we use “AddHandler” instead of “Action”), and the FastCGI case isn’t vulnerable because the “wrapper script” we suggest doesn’t pass any user-supplied parameters through to the PHP binary.
So unless you’ve compiled your own version of PHP and installed it in a way that the PHP documentation recommends against for security reasons (and you’d certainly know if you’d done so), you’re safe.
As an extra measure, we’ve also added “mod_security” rules to block the most common “in the wild” attempted attacks that try to exploit this bug (based on seeing a very large number of them in our logs). These attackers can’t even start PHP running.