Loud Baking

For the ones of you who have not opted to receive the PHP announcements from the php.net site, here’s an important one you shouldn’t miss if you are using the 5.2.x branch.

From the PHP team:

over 60 bug fixes, several of which are security related

Some of the vulnerabilities are:

1. Various errors exist in the “htmlentities” and “htmlspecialchars” functions where partial multibyte sequences are not accepted.
2. Various boundary errors exist in the “fnmatch()”, “setlocale()”, and “glob()” functions and can be exploited to cause buffer overflows.
3. An error in the processing of “.htaccess” files can be exploited to bypass the “disablefunctions” directive by modifying the “mail.forceextraparameters” php.ini directive via an “.htaccess” file.
4. An error in the handling of variables can be exploited to overwrite values set in httpd.conf via the “iniset()” function.

More details can be found in the official announcement here.

This entry was posted on Thursday, November 15th, 2007 at 10:56 am and is filed under PHP5. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.