Scientific Linux Security Update : php on SL5.x, SL6.x i386/x86_64

This script is Copyright (C) 2012-2014 Tenable Network Security, Inc.

Synopsis :

The remote Scientific Linux host is missing one or more security

Description :

PHP is an HTML-embedded scripting language commonly used with the
Apache HTTP Server.

A flaw was found in the way the php-cgi executable processed command
line arguments when running in CGI mode. A remote attacker could send
a specially crafted request to a PHP script that would result in the
query string being parsed by php-cgi as command line options and
arguments. This could lead to the disclosure of the script's source
code or arbitrary code execution with the privileges of the PHP
interpreter. (CVE-2012-1823)

Scientific Linux is aware that a public exploit for this issue is
available that allows remote code execution in affected PHP CGI
configurations. This flaw does not affect the default configuration in
Scientific Linux 5 and 6 using the PHP module for Apache httpd to
handle PHP scripts.

All php users should upgrade to these updated packages, which contain
a backported patch to resolve this issue. After installing the updated
packages, the httpd daemon must be restarted for the update to take

See also :

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.5
Public Exploit Available : true

Family: Scientific Linux Local Security Checks

Nessus Plugin ID: 61312 ()

Bugtraq ID:

CVE ID: CVE-2012-1823