PHP plugs security holes

The open-source PHP Group has issued a patch for at least four security flaws in the widely-used general-purpose scripting language.With PHP 5.

The open-source PHP Group has issued a patch for at least four security flaws in the widely-used general-purpose scripting language.

With PHP 5.2.9 (see changeLog), the PHP development team corrects a total of 50 bugs, including a publicly-known flaw that allows attackers to read the contents of arbitrary memory locations in certain situations.

Here's the skinny on that issue, which is rated medium-severity:

  • Array index error in the imageRotate function in PHP 5.2.8 and earlier allows context-dependent attackers to read the contents of arbitrary memory locations via a crafted value of the third argument (aka the bgd_color or clrBack argument) for an indexed image.

The other security fixes in PHP 5.2.9 are:

  • Fixed a crash on extract in zip when files or directories entry names contain a relative path. (Pierre)
  • Fixed explode() behavior with empty string to respect negative limit. (Shire)
  • Fixed a segfault when malformed string is passed to json_decode(). (Scott)

ALSO SEE:

Flaw trifecta kicks off Month of PHP Bugs

Controversial ‘month of bugs’ getting security results

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All
See All