PHP update plugs serious security holes

Summary:The open-source PHP Group has shipped a new version of the general-purpose scripting language to fix multiple security holes that could lead to security bypass and the exposure of sensitive information.

The open-source PHP Group has shipped a new version of the general-purpose scripting language to fix multiple security holes that could lead to security bypass and the exposure of sensitive information.

According to an advisory from the Apache-backed project, some of the vulnerabilities can be triggered remotely under certain circumstances. "This is a major stability and security enhancement of the 5.X branch, and all users are strongly encouraged to upgrade to it as soon as possible," the group warned.

Secunia rates the update as "moderately critical" and stressed that there are unspecified overflows that can be exploited to cause a stack overflow in the session extension. The "safe_mode" and "open_basedir" protection mechanisms in PHP can also be bypassed via the session extension.

Stack overflows also exist in the "zip", "imap", and "sqlite" extensions while a boundary error within the stream filters can be exploited to cause a buffer overflow.

The big security upgrades comes ahead of plans by PHP security guru Stefan Esser to launch a Month of PHP Bugs project in March 2007.

Topics: Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.