PHP update plugs serious security holes

PHP update plugs serious security holes

Summary: The open-source PHP Group has shipped a new version of the general-purpose scripting language to fix multiple security holes that could lead to security bypass and the exposure of sensitive information.

SHARE:
TOPICS: Security
0
The open-source PHP Group has shipped a new version of the general-purpose scripting language to fix multiple security holes that could lead to security bypass and the exposure of sensitive information.

According to an advisory from the Apache-backed project, some of the vulnerabilities can be triggered remotely under certain circumstances. "This is a major stability and security enhancement of the 5.X branch, and all users are strongly encouraged to upgrade to it as soon as possible," the group warned.

Secunia rates the update as "moderately critical" and stressed that there are unspecified overflows that can be exploited to cause a stack overflow in the session extension. The "safe_mode" and "open_basedir" protection mechanisms in PHP can also be bypassed via the session extension.

Stack overflows also exist in the "zip", "imap", and "sqlite" extensions while a boundary error within the stream filters can be exploited to cause a buffer overflow.

The big security upgrades comes ahead of plans by PHP security guru Stefan Esser to launch a Month of PHP Bugs project in March 2007.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion