Our customers are protected against the CVE-2012-1823 PHP security bug

Posted May 9th, 2012 in System Status, Tech Corner. Tags: , , .

There’s been a lot of talk in the last few days about a nasty PHP security bug that allows “hackers” to compromise some Web sites that use the PHP scripting language.

Our customers are not vulnerable to this problem because of the way PHP is set up on our servers. You don’t need to worry about it.

Since this is a big deal, we’ve checked all the possibilities very carefully:

None of these are susceptible to the bug. The first and last aren’t vulnerable for the reason listed in comment 38 of that page (we use “AddHandler” instead of “Action”), and the FastCGI case isn’t vulnerable because the “wrapper script” we suggest doesn’t pass any user-supplied parameters through to the PHP binary.

So unless you’ve compiled your own version of PHP and installed it in a way that the PHP documentation recommends against for security reasons (and you’d certainly know if you’d done so), you’re safe.

As an extra measure, we’ve also added “mod_security” rules to block the most common “in the wild” attempted attacks that try to exploit this bug (based on seeing a very large number of them in our logs). These attackers can’t even start PHP running.

  1. Recent Posts

    1. PHP versions 8.2.17 and 8.3.4
    2. President’s Day 2024 holiday hours
    3. PHP versions 8.1.27 and 8.2.15
    4. Martin Luther King, Jr. Day 2024 holiday hours
    5. New Year’s 2024 Holiday Hours
    6. Christmas 2023 Holiday Hours
    7. Brief scheduled maintenance December 16-17, 2023
    8. Thanksgiving 2023 Holiday Hours
    9. PHP versions 8.1.25 and 8.2.12
    10. PHP versions 8.1.24 and 8.2.11

  2. Categories

  3. Tags

    all servers email holiday hours linux mailman maintenance mod_security mysql network php phpmyadmin security server updates spam ssl status updates webmail wordpress zapp

  4. Feeds