Safety Critical Flaw is Found in PHP

A failure recently found in PHP and released to the public by mistake can leave any page in the open server to insert malicious code. The vulnerability, which affects only servers running PHP in CGI mode, was discovered by a team of hackers during a competition.
The essence of the failure is that today you can call PHP parameters by direct URL. For example, to access the address http: //localhost/index.php -s, the server execute PHP with the -s parameter, which displays the file’s source code, and not the HTML generated by it. That alone would be enough problem (after all, it is common to enter data such as database passwords in the source code), but the team that discovered the flaw also realized that it also allows you to insert malicious code into the file and run it.
Findings of this type are usually sent to the developers to first solve the problem and release an update for only then vehicles announced the failure and correction, but by human error bug was accidentally sent to “public” in the bug system PHP .
Although the development team has already released a patch, there is information that they do not completely solve the problem. The ideal is to use PHP otherwise not in CGI mode (FastCGI mode in this failure does not happen) or add a rule to the Apache block URLs with “-” in the .htaccess file, thus avoiding the use of PHP parameters . The rule is the one below:
RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
RewriteRule ^(.*) $1? [L]
A new update due out soon, now with a more efficient correction. Until then, great care is.