Tweet
Large security holes found in PHP
The PHP development team has released an update for the widely used scripting language that fixes a number of highly serious bugs, according to the project and independent security researchers. The developers warned that users should update to PHP 4.3.10 immediately, since some of the bugs are relatively easy to exploit. Stefan Esser of the Hardened PHP Project, which discovered the most serious flaws during development of security add-ons for PHP, said in an advisory the bugs range "from buffer overflows, to information leak vulnerabilities and path truncation vulnerabilities, to safe_mode restriction bypass vulnerabilities".
The most immediately dangerous flaws relate to PHP's variable unserialize(), which can allow attackers to execute malicious code on a system. "A lot of PHP applications expose the easy-to-exploit unserialize() vulnerability to remote attackers," Esser wrote. He noted that the Hardened-PHP patch makes some of the exploits ineffective. Attackers could make use of some of the other vulnerabilities to retrieve secret data from the "apache" Web server process, bypass security restrictions and gain escalated privileges, Esser said. Secunia, an independent security research firm based in Denmark, gave the flaws a "highly critical" rating. The PHP update also fixes more than 30 noncritical bugs, PHP developers said. A complete list of changes is available on the PHP website.
PHP 4.3.10 Changelog
Added the %F modifier to *printf to render a non-locale-aware representation of a float with the . as decimal separator.
Fixed a bug in addslashes() handling of the '\0' character.
Backported Marcus' foreach() speedup patch from PHP 5.x.
Fixed potential problems with unserializing invalid serialize data.
Fixed bug #31034 (Problem with non-existing iconv header file).
Fixed bug #31024 (Crash in fgetcsv() with negative length).
Fixed bug #31019 (Logic error mssql library checking).
Fixed bug #30995 (snmp extension does not build with net-snmp 5.2).
Fixed bug #30990 (allow popen() on *NIX to accept 'b' flag).
Fixed bug #30826 (Certain reference relations cannot be unserialized properly).
Fixed bug #30750 (Meaningful error message when upload directory is not accessible).
Fixed bug #30739 (imagefill does not set back alphablending mode).
Fixed bug #30672 (Problem handling exif data in jpeg images at unusual places).
Fixed bug #30658 (Ensure that temporary files created by GD are removed).
Fixed bug #30654 (oci8 persistent connection is deleted from hash if there was exclusive connection with the same credentials).
Fixed bug #30613 (Prevent infinite recursion in url redirection).
Fixed bug #30587 (array_multisort doesn't separate zvals before changing them).
Fixed bug #30475 (curl_getinfo() may crash in some situations).
Fixed bug #30442 (segfault when parsing ?getvariable[][ ).
Fixed bug #30388 (rename across filesystems loses ownership and permission info).
Fixed bug #30282 (segfault when using unknown/unsupported session.save_handler and/or session.serialize_handler).
Fixed bug #30281 (Prevent non-wbmp images from being detected as such).
Fixed bug #30276 (Possible crash in ctype_digit on large numbers).
Fixed bug #30229 (imagerectangle and imagefilledrectangle do work well with alpha channel, corners are drawn twice).
Fixed bug #30224 (Sybase date strings are sometimes not null terminated).
Fixed bug #30133 (get_current_user() crashes on Windows).
Fixed bug #30057 (did not detect IPV6 on FreeBSD 4.1).
Fixed bug #30027 (Possible crash inside ftp_get()).
Fixed bug #29805 (HTTP Authentication Issues).
Fixed bug #29418 (double free when openssl_csr_new fails)..
Fixed bug #28598 (Lost support for MS Symbol fonts).
Fixed bug #28325 (Circular references not properly serialized).
Fixed bug #28228 (NULL decimal separator is not being handled correctly).
Fixed bug #27469 (serialize() objects of incomplete class).
The most immediately dangerous flaws relate to PHP's variable unserialize(), which can allow attackers to execute malicious code on a system. "A lot of PHP applications expose the easy-to-exploit unserialize() vulnerability to remote attackers," Esser wrote. He noted that the Hardened-PHP patch makes some of the exploits ineffective. Attackers could make use of some of the other vulnerabilities to retrieve secret data from the "apache" Web server process, bypass security restrictions and gain escalated privileges, Esser said. Secunia, an independent security research firm based in Denmark, gave the flaws a "highly critical" rating. The PHP update also fixes more than 30 noncritical bugs, PHP developers said. A complete list of changes is available on the PHP website.
PHP 4.3.10 Changelog
Added the %F modifier to *printf to render a non-locale-aware representation of a float with the . as decimal separator.
Fixed a bug in addslashes() handling of the '\0' character.
Backported Marcus' foreach() speedup patch from PHP 5.x.
Fixed potential problems with unserializing invalid serialize data.
Fixed bug #31034 (Problem with non-existing iconv header file).
Fixed bug #31024 (Crash in fgetcsv() with negative length).
Fixed bug #31019 (Logic error mssql library checking).
Fixed bug #30995 (snmp extension does not build with net-snmp 5.2).
Fixed bug #30990 (allow popen() on *NIX to accept 'b' flag).
Fixed bug #30826 (Certain reference relations cannot be unserialized properly).
Fixed bug #30750 (Meaningful error message when upload directory is not accessible).
Fixed bug #30739 (imagefill does not set back alphablending mode).
Fixed bug #30672 (Problem handling exif data in jpeg images at unusual places).
Fixed bug #30658 (Ensure that temporary files created by GD are removed).
Fixed bug #30654 (oci8 persistent connection is deleted from hash if there was exclusive connection with the same credentials).
Fixed bug #30613 (Prevent infinite recursion in url redirection).
Fixed bug #30587 (array_multisort doesn't separate zvals before changing them).
Fixed bug #30475 (curl_getinfo() may crash in some situations).
Fixed bug #30442 (segfault when parsing ?getvariable[][ ).
Fixed bug #30388 (rename across filesystems loses ownership and permission info).
Fixed bug #30282 (segfault when using unknown/unsupported session.save_handler and/or session.serialize_handler).
Fixed bug #30281 (Prevent non-wbmp images from being detected as such).
Fixed bug #30276 (Possible crash in ctype_digit on large numbers).
Fixed bug #30229 (imagerectangle and imagefilledrectangle do work well with alpha channel, corners are drawn twice).
Fixed bug #30224 (Sybase date strings are sometimes not null terminated).
Fixed bug #30133 (get_current_user() crashes on Windows).
Fixed bug #30057 (did not detect IPV6 on FreeBSD 4.1).
Fixed bug #30027 (Possible crash inside ftp_get()).
Fixed bug #29805 (HTTP Authentication Issues).
Fixed bug #29418 (double free when openssl_csr_new fails)..
Fixed bug #28598 (Lost support for MS Symbol fonts).
Fixed bug #28325 (Circular references not properly serialized).
Fixed bug #28228 (NULL decimal separator is not being handled correctly).
Fixed bug #27469 (serialize() objects of incomplete class).
Comment