eWeek Security Watch
Advertisement
Advertisement
January 4, 2008 11:31 AM

PHP Group Ships Final PHP 4 Patch



php_bugs.png The open-source PHP Group has updated the popular PHP 4 scripting language for the last time.

With PHP 4.4.8, the group provides patches for multiple security flaws that could allow attackers to bypass certain restrictions and announced that this "wraps up all the outstanding patches for the PHP 4.4 series."

"[This is] the last normal PHP 4.4 release. If necessary, releases to address security issues could be made until 2008-08-08," the group said.

According to security research outfit Secunia, this update carries a "moderately critical" rating.

In all, Secunia counts five security patches:

  • An integer overflow error exists in the "chunk_split()" function.
  • Integer overflow errors exist in the "strcspn()" and "strspn()" functions.
  • A regression error related to the "glob()" function exists, which can potentially be exploited to bypass the "open_basedir" directive.
  • An error exists within the handling of SQL queries containing "LOCAL INFILE" inside the MySQL extension. This can be exploited to bypass the "open_basedir" and "safe_mode" directives.
  • An error exists when processing "session_save_path" and "error_log" values, which can be exploited to bypass the "open_basedir" and "safe_mode" directives.
  • PHP has not held up well to security scrutiny in recent times. In March 2007, Stefan Esser's Month of PHP Bugs exposed gaping holes in the Zend Engine, the PHP core and the PHP extensions, prompting several bumper patches from the Apache-backed group.


    TrackBack

    TrackBack

    http://securitywatch.eweek.com/cgi-bin/mte/mt-tb.cgi/12356

    Comments (1)

    yacahuma :

    Anyone reading this will think it is the end of php. Please note that php is in version 5.2.5 This is just a reminder for everyone to move to PHP 5. Almost every php4 application will run fine on PHP 5 engine. Also PHP6(PHP5 + unicode) is already well under way. Long live PHP!!!

    Post a Comment

     
     
    RSS Syndication
    Advertisement
    Advertisement
    Security Watch     Contact Us | Advertise | Site Map
    eWEEK Quick LInks

    Ziff Davis Enterprise