PHP 最近被爆出跑 mod_cgi 會有漏洞, 可以看到 PHP code 的原始碼.
PHP CGI 漏洞新聞
詳見下述新聞
- Critical open hole in PHP creates risks - Update 2
- PHP 5.3.12 and PHP 5.4.2 Released!
There is a vulnerability in certain CGI-based setups (Apache+mod_php and nginx+php-fpm are not affected) that has gone unnoticed for at least 8 years.
CGI 漏洞語法
- http://localhost/index.php?-s
暫時於 Apache 使用的修補方式
- RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
- RewriteRule ^(.*) $1? [L]
Facebook 對此漏洞的處理法
有此漏洞, 自然很多人會想在 Facebook 玩玩看, Facebook 也很爽快的讓大家看到 Source code.
連到 http://facebook.com/?-s, 會秀出下述的 Source code:
<?php
include_once 'https://www.facebook.com/careers/department?dept=engineering&req=a2KA0000000Lt8LMAS';
連到 Source code 寫的 Facebook 的連結頁面, 就可以看到 Security Engineer 的 Apply for this position 按鈕. 😛