Wiredmikey writes "On Wednesday, a remote code execution vulnerability in PHP was by mistake exposed to the Web, persuade fears that it may be used to target assailable websites on a massive scale. The bug itself was traced back to 2004, and came to light during a recent CTF competition. 'When PHP is used in a CGI-based setup (such as Apache's mod_cgid), the php-cgi receives a snacks query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to break source code and obtain erratic code execution,' a CERT explains. PHP developers pushed a fix for the flaw, resulting in the release of PHP 5.3.12 and 5.4.2, but as it turns out it didn't in truth remove the vulnerability."
Read more of this story at Slashdot.
More: - From the site