Business
PHP plugs security holes
The open-source PHP Group has issued a patch for at least four security flaws in the widely-used general-purpose scripting language.With PHP 5.
![ryan-naraine.jpg](https://www.zdnet.com/a/img/resize/58705b1ab848cb0209d7d7d504dffaab176d93aa/2014/07/22/4b4e2273-1175-11e4-9732-00505685119a/ryan-naraine.jpg?auto=webp&fit=crop&frame=1&height=192&width=192)
![mopb-logo.png](https://www.zdnet.com/a/img/2014/10/04/991f56cb-4b63-11e4-b6a0-d4ae52e95e57/mopb-logo.png)
With PHP 5.2.9 (see changeLog), the PHP development team corrects a total of 50 bugs, including a publicly-known flaw that allows attackers to read the contents of arbitrary memory locations in certain situations.
Here's the skinny on that issue, which is rated medium-severity:
- Array index error in the imageRotate function in PHP 5.2.8 and earlier allows context-dependent attackers to read the contents of arbitrary memory locations via a crafted value of the third argument (aka the bgd_color or clrBack argument) for an indexed image.
The other security fixes in PHP 5.2.9 are:
- Fixed a crash on extract in zip when files or directories entry names contain a relative path. (Pierre)
- Fixed explode() behavior with empty string to respect negative limit. (Shire)
- Fixed a segfault when malformed string is passed to json_decode(). (Scott)
ALSO SEE: