Some weeks you can't win →, reporting on a newly-discovered security problem in everyone’s favorite web language:

There is a vulnerability in certain CGI-based setups that has gone unnoticed for at least 8 years. […] A request containing “?-s” [in the URL query string] may dump the PHP source code for the page.

This only happens if the query doesn’t have a “=” in the query string and only happens on PHP installations that are run using the CGI interface, which is (probably) very few at this point. It’s not made clear, though, whether this affects PHP installations using the newer FCGI interface that’s used by many non-Apache web servers.

Making a bad week worse, we had a bug in our bug system that toggled the private flag of a bug report to public on a comment to the bug report causing this issue to go public before we had time to test solutions to the level we would like.

Well, you shouldn’t have written your bug tracking system in… oh, never mind.

  1. chipotle posted this