In association with heise online

04 August 2006, 12:16

PHP 4.4.3 closes four-month-old holes

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

New PHP version 4.4.3 eliminates 20 non-critical flaws as well as several security holes that have been open for months. This includes one in the wordwrap() function that can provoke a buffer overflow, although the developers did not indicate whether it was possible to plant and execute code using that particular flaw. Also eliminated were vulnerabilities in the tempname() and phpinfo() functions. These were cleaned out from PHP 5 from version 5.1.3 in the beginning of May, and have been public since mid-April 2006.

It's not good news that the developers are allowing so much time to pass between fixes. The hole in phpinfo() still allows hackers to plant JavaScript in the victim's browser that can be used to read that user's cookies. The flaw in tempname() can be used to trick the open_basedir access restriction, an alternative to safe mode that is intended to prevent a user from jumping outside his home directory. The buffer overflow in wordwrap() has also been known since April. One factor may be that development has been suspended on PHP4. Security updates will continue, however, even if after significant delay.

Beyond that, the Safe_mode check for the error_log() function was improved and the parameter validation in substr_compare() was made more secure. The PCRE (Perl Compatible Regular Expressions) library for evaluation of regular expressions was updated in PHP 4.4.3 to version 6.6. The developers recommend installing the updates as soon as possible. Users should also consider, however, whether the complete switchover to PHP 5 makes more sense.

See also:

  • PHP 4.4.3, Release announcement from


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit