Hello all.
Php.net just published bad news: there is a vulnerability in the PHP interpreter that allows anybody to get the source code of any PHP page just by adding ?-s to any URL. This affects PHP 5.2, 5.3 and 5.4 when run as CGI - as is the case at Dathorn.
New, patched, versions of PHP have been released for the 5.3 and 5.4 series. No patched version is available for 5.2, which is the default here around, and I believe there is none coming soon.
You can (and really should) stop your source code from being displayed putting these lines in your .htaccess file:
Php.net just published bad news: there is a vulnerability in the PHP interpreter that allows anybody to get the source code of any PHP page just by adding ?-s to any URL. This affects PHP 5.2, 5.3 and 5.4 when run as CGI - as is the case at Dathorn.
New, patched, versions of PHP have been released for the 5.3 and 5.4 series. No patched version is available for 5.2, which is the default here around, and I believe there is none coming soon.
You can (and really should) stop your source code from being displayed putting these lines in your .htaccess file:
Code:
<IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC] RewriteRule ^(.*) $1? [L] </IfModule>
Comment