New PHP vulnerabilities disclosed and new PHP version available
While the PHP developers have published version 4.4.6 of the script language, which fixes some bugs that have been introduced with the previous version, the initiators of the Month of PHP Bugs (MOPB) have disclosed some further new bugs, including some that have not yet been fixed.
PHP version 4.4.5 had been designed to close some security vulnerabilities, however, a new bug caused PHP to shut down when register_globals was enabled. This bug and some "minor" flaws, which could also cause PHP to crash, have now been fixed.
Four more security advisories have been published meanwhile, in addition to the vulnerability caused by variable reference counters in PHP 4, which are only 16 bits wide (see related news). The second advisory deals with known PHP crashes caused by very deep recursions online, which affects all PHP versions. For instance, recursive checks of user input may cause PHP to run out of stack and crash; however, the PHP developers do not regard this as a security hole and are unwilling to fix the problem.
A third advisory reports on the same deep recursion bug sitting in the Zend engine; reasons for not fixing this problem are the same as mentioned above. In their fourth advisory, the MOPB initiators demonstrate that the 16-bit variable reference counter bug in PHP 4 is not just a local problem, but can also be exploited remotely. For instance, using the function unserialize() to check user input may lead to arbitrary code execution. The PHP developers have fixed this bug with PHP 4.4.5, but have forgotten to mention it in their release announcement.
The last advisory concerns the function zend_hash_init(), which might trigger an endless loop on 64-bit systems. This bug had affected all PHP versions, but had been fixed in PHP 4.4.5 and 5.2.1. But although the PHP developers had changed the length of the variables that cause the bug from 32 bits to 64 bits, the Zend engine still worked with 32-bit variables.
When asked by heise Security, Stefan Esser explained that some of the bugs already fixed are listed on the MOPB site, because the MOPB initiators have reported many vulnerabilities to the PHP developers before. MOPB also wants to point out that some of the bugs that are deemed local problems may also be used remotely to crash the server.
- Announcement of PHP 4.4.6
- Download the new version of PHP
- PHP Executor Deep Recursion Stack Overflow, Error report on MOPB
- PHP Variable Destructor Deep Recursion Stack Overflow, Error report on MOPB
- PHP 4 unserialize() ZVAL Reference Counter Overflow, Error report on MOPB
- PHP unserialize() 64 bit Array Creation Denial of Service Vulnerability, Error report on MOPB