Gentoo has issued a security advisory with a high impact rating affecting users of PHP <5.2.2.

Several vulnerabilities have been found in PHP, not least a huge number discovered by Stefan Esser during the infamous Month Of PHP Bugs (MOPB) including integer overflows in wbmp.c from the GD library and in the substr_compare() PHP 5 function.

There have also been reports of a buffer overflow in the make_http_soap_request() and in the user_filter_factory_create() functions as well as a buffer overflow in the bundled XMLRPC library. If that weren’t enough, the session_regenerate_id() and the array_user_key_compare() functions contain a double-free vulnerability. Oh, and let’s not forget the implementation errors in the Zend engine, in the mb_parse_str(), the unserialize() and the mail() functions and other elements.

The fact that remote attackers therefore have the potential ability to exploit these vulnerabilities in PHP applications which could, of course, lead to arbitrary code execution. And Denial of Service attacks. And scripted content execution within the context of an exploited site. And information leaks due to the bypassing of security.

And the workaround is? Err, it is non-existent actually. If you are a PHP 5 user then you really should make sure you are using the latest available version.

10 Years
Discussion Span
Last Post by newsguy

Just curious, if this is a PHP flaw, then how come it is only affecting Gentoo? Or is Gentoo simply giving the warning on behalf of all PHP 5 users?


>They could move over to ASP
microworld of microsoft??? you must by joking. For once it is damn slow, for two it crash often then windows and connection to db is awful. I don't know why all computing colleges actualy teach VB and related products

the Month of PHP Bugs can be found here http://www.php-security.org/

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.