The $binary placeholder will contain /usr/bin/php or /usr/php4/bin/php By default, no command line parameters are included. mkdocs-git-revision-date-localized-plugin 1.1.0 mkdocs-i18n 0.4.4. When configured to use CGI or FCGI, cPanel & WHM instructs Apache to use the following wrapper script /usr/local/cpanel/cgi-sys/php5 or /usr/local/cpanel/cgi-sys/php4 (The number after “php” is based upon the current major version of PHP.) The unmodified version of the wrapper script looks like the following: Cpanel-JSON-XS 4.290.0 cpdf 2.3.1 cpdup 1.18 cphplib 0.51. Server administrators are encouraged to verify their PHP configuration. The PHP object injection exploit chain can leverage an destruct magic method. This wrapper script does not pass through any command line options. Safety Builder versions regardless of software or firmware revision. ![]() The exploit was documented by the Eindbazen team and documented as CVE-2012-1823.ĬPanel & WHM servers are not affected by this, thanks in part to a wrapper script used by cPanel & WHM when Apache is configured to use CGI for the PHP handler. CPanel & WHM servers using the default cPanel PHP CGI configuration are not vulnerable to the command line switch vulnerability.Ī recently disclosed flaw in PHP’s CGI implementation allows malicious users to remotely view and execute source code.
0 Comments
Leave a Reply. |