New PHP versions plug security vulnerabilities
With the release of PHP versions 4.4.4 and 5.1.5, the PHP developers have plugged security vulnerabilities in the scripting language. Attackers could potentially exploit these vulnerabilities to carry out denial of service attacks against vulnerable systems or to infiltrate malicious software.
The new versions fix a bug in the way safe_mode/open_basedir is checked in the error_log(), file_exists(), imap_open() and imap_reopen() functions. It also fixes overflows in the str_repeat() and wordwrap() functions on 64-bit systems. An overflow can occur in the GD extension in all versions. The cURL extension permits an attacker to bypass the restrictions on open_basedir/safe_mode. In version 5.x, the bug also affects the realpath cache.
The sscanf() function also contains a buffer which can overflow. With version 5.1.5 an out of bounds read access is possible in stripos(). The PHP programmers have also fixed a bug in the way memory_limit is dealt with on 64 bit systems.
The fixed bugs are sure to be exploited by attackers in the near future. Users of PHP under Windows should therefore install the new versions as soon as possible. Linux distributors will probably also supply new packages shortly. Users who don't want to wait that long can compile PHP themselves using the current source code packages from the PHP website.
- PHP 5.1.5 Release Announcement, announcement from the PHP developers
- PHP 4.4.4 Release Announcement, announcement from the PHP developers
- Download the new PHP source code and the Windows installer
(ehe)