Hi CF !
To everyone who is using php-cgi for server, plz update :
http://www.php.net/archive/2012.php#id2012-05-03-1
we can see your php file source code :D
Quote [03-May-2012]
There is a vulnerability in certain CGI-based setups (Apache+mod_php and nginx+php-fpm are not affected) that has gone unnoticed for at least 8 years. Section 7 of the CGI spec states:
Some systems support a method for supplying a [sic] array of strings to the CGI script. This is only used in the case of an `indexed' query. This is identified by a "GET" or "HEAD" HTTP request with a URL search string not containing any unencoded "=" characters.
So, requests that do not have a "=" in the query string are treated differently from those who do in some CGI implementations. For PHP this means that a request containing ?-s may dump the PHP source code for the page, but a request that has ?-s&=1 is fine.
A large number of sites run PHP as either an Apache module through mod_php or using php-fpm under nginx. Neither of these setups are vulnerable to this. Straight shebang-style CGI also does not appear to be vulnerable.
If you are using Apache mod_cgi to run PHP you may be vulnerable. To see if you are, just add ?-s to the end of any of your URLs. If you see your source code, you are vulnerable. If your site renders normally, you are not.
To fix this, update to PHP 5.3.12 or PHP 5.4.2.
Most of them don't use mode_cgi
according to tweakers.net the update doesn't fix this issue though :/
http://support.nikonusa.com/app/?-s
http://support.webroot.com/app/answers/detail/a_id/1761?-s
That update doesn't seem to fix that leak either.
Who uses it anyways today.
Python on the way!!