Controversial 'month of bugs' getting security results

Summary:Say what you want about the ethics of the "month of bugs" phenomenon, these vulnerability disclosure projects are getting immediate -- and valuable -- results.

Say what you want about the ethics of the "month of bugs" phenomenon, these vulnerability disclosure projects are getting immediate -- and valuable -- results.

month of php bugs

On the heels of Apple, Microsoft and others patching serious holes exposed during month-of-bugs projects, the PHP Group has released PHP 4.4.7 with fixes for seven security vulnerabilities discussed in Stefan Esser's month of PHP bugs.

During the month of March, Esser released details -- and exploit code where applicable -- for a total of 45 potentially serious vulnerabilities in the open-source scripting language.

At the time, Esser said he was motivated by the PHP Group's blasé approach to confirming and fixing exploitable flaws but, from the look of things, the PHP development team was paying close attention to Esser's disclosures.

The eight month of PHP bugs issues covered by PHP 4.4.7 are:

  • Fixed asciiz byte truncation inside mail() -- (MOPB-33)
  • Fixed a bug in mb_parse_str() that can be used to activate register_globals -- (MOPB-26)
  • Fixed unallocated memory access/double free in in array_user_key_compare() -- (MOPB-24)
  • Fixed a double free inside session_regenerate_id() -- (MOPB-22)
  • Added missing open_basedir & safe_mode checks to zip:// and bzip:// wrappers -- (MOPB-21)
  • Limit nesting level of input variables with max_input_nesting_level as fix for (MOPB-03)
  • XSS in phpinfo() -- (MOPB-8) 

"While majority of the issues outlined above are local, few issues such as the XML-RPC overflows can be triggered remotely and therefor should be considered critical. If you use the XML-RPC extension consider upgrading as soon as possible," the PHP development team said.

Ubuntu and Debian have both issued new PHP packages to incorporate fixes for Esser's vulnerabilities.

Topics: Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.