De Eindbazen also issued a fix that can be applied on top of the one from PHP

May 5, 2012 09:15 GMT  ·  By

After the PHP-CGI bug was made public, PHP rushed to issue a patch, but as it later turned out, it didn’t completely address the problem. Researchers from De Eindbazen have added a new patch that should fix the vulnerability, but it only works if applied on top of the official PHP security update.

PHP have almost immediately released the 5.4.2 and 5.3.12 variants to mitigate the threat, but experts have noticed that the issue still exists.

“As mentioned on Eindbazen: The current fixes have a problem with whitespace BEFORE the actual Query String, i.e. “/?+-s”. This only applies in the wrapper environment outlined by eindbazen.net where command-line arguments are passed without double quotes to PHP, as in /usr/bin/php5 $@,” Christopher Kunz, of PHP-Security wrote.

PHP now promises a new update, but until it becomes available, users can apply the workarounds recommended by De Eindbazen.