Can be plugged by disabling the phpinfo() function.

Also, it requires the *script author* to expose certain portions of the memory. Hence it is being classified as being of low severity


On Wed, Aug 6, 2014 at 3:19 PM, Laban Mwangi via skunkworks <skunkworks@lists.my.co.ke> wrote:
Looks pretty bad.

---------- Forwarded message ----------
From: Loganaden Velvindron <loganaden@gmail.com>
Date: Sat, Jul 19, 2014 at 4:19 PM
Subject: [afnog] PHP vulnerability leading to potential disclosure of PHP keys
To: afnog@afnog.org


Hi guys,

This PHP vulnerability received little attention in the press compared
to OpenSSL's heartbleed, but its impact cannot be underestimated.

https://www.sektioneins.de/en/blog/14-07-04-phpinfo-infoleak.html

I sent a fix for FreeBSD & Ubuntu/Debian, and you can grab them.

Please update your php as soon as possible.

Kind regards,
//Logan
C-x-C-c



--
This message is strictly personal and the opinions expressed do not
represent those of my employers, either past or present.

_______________________________________________
afnog mailing list
http://afnog.org/mailman/listinfo/afnog


_______________________________________________
skunkworks mailing list
skunkworks@mailman-prod.my.co.ke
------------
List info, subscribe/unsubscribe
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
------------

Skunkworks Rules
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
------------
Other services @ http://my.co.ke