Critical PHP vulnerability being fixed - Update
The PHP developers are working to fix a critical security vulnerability in PHP that they introduced with a recent security patch. The current stable release is affected; however, it is not yet clear whether the questionable patch was also applied to older versions.
The cause of the problem is the security update to PHP 5.3.9, which was written to prevent denial of service (DoS) attacks using hash collisions. To do so, the developers limited the maximum possible number of input parameters to 1,000 in php_variables.c using
max_input_vars. Because of mistakes in the implementation, hackers can intentionally exceed this limit and inject and execute code. The bug is considered to be critical as code can be remotely injected over the web.
The development version of PHP already has a patch for the bug, but the PHP developers have yet to issue an official advisory. It is not yet clear whether there are sensible immediate measures and workarounds for concerned administrators. Stefan Esser, who discovered the problem, pointed out that the use of the Suhosin security extension, which he helped develop, significantly reduces the possibility of the bug being exploited, even in the standard configuration.
Update – Version 5.3.10 of PHP has been released and is available from the project's downloads page. The critical security update addresses the remote code execution vulnerability reported by Esser. The developers strongly advise all users to upgrade to the current version.