Can be plugged by disabling the phpinfo() function. Also, it requires the *script author* to expose certain portions of the memory. Hence it is being classified as being of low severity On Wed, Aug 6, 2014 at 3:19 PM, Laban Mwangi via skunkworks < skunkworks@lists.my.co.ke> wrote:
Looks pretty bad.
---------- Forwarded message ---------- From: Loganaden Velvindron <loganaden@gmail.com> Date: Sat, Jul 19, 2014 at 4:19 PM Subject: [afnog] PHP vulnerability leading to potential disclosure of PHP keys To: afnog@afnog.org
Hi guys,
This PHP vulnerability received little attention in the press compared to OpenSSL's heartbleed, but its impact cannot be underestimated.
https://www.sektioneins.de/en/blog/14-07-04-phpinfo-infoleak.html
I sent a fix for FreeBSD & Ubuntu/Debian, and you can grab them.
Please update your php as soon as possible.
Kind regards, //Logan C-x-C-c
-- This message is strictly personal and the opinions expressed do not represent those of my employers, either past or present.
_______________________________________________ afnog mailing list http://afnog.org/mailman/listinfo/afnog
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke