Can be plugged by disabling the phpinfo() function. Also, it requires the *script author* to expose certain portions of the memory. Hence it is being classified as being of low severity On Wed, Aug 6, 2014 at 3:19 PM, Laban Mwangi via skunkworks < skunkworks@lists.my.co.ke> wrote:

Looks pretty bad.

---------- Forwarded message ---------- From: Loganaden Velvindron <loganaden@gmail.com> Date: Sat, Jul 19, 2014 at 4:19 PM Subject: [afnog] PHP vulnerability leading to potential disclosure of PHP keys To: afnog@afnog.org

Hi guys,

This PHP vulnerability received little attention in the press compared to OpenSSL's heartbleed, but its impact cannot be underestimated.

https://www.sektioneins.de/en/blog/14-07-04-phpinfo-infoleak.html

I sent a fix for FreeBSD & Ubuntu/Debian, and you can grab them.

Please update your php as soon as possible.

Kind regards, //Logan C-x-C-c

-- This message is strictly personal and the opinions expressed do not represent those of my employers, either past or present.

_______________________________________________ afnog mailing list http://afnog.org/mailman/listinfo/afnog

_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke