eWeek Security Watch
Advertisement
Advertisement
May 2, 2008 9:47 AM

PHP Update Quashes Security Bugs



PHP Update Quashes Security Bugs The open-source PHP Group has released a high-priority update to fix multiple security vulnerabilities.

The PHP 5.2.6 release (download here) corrects at least four documented security flaws of varying severity and also upgraded the bundled PCRE (Perl Compatible Regular Expressions) to version 7.6.

Secunia has slapped a "moderately critical" label on this update and warned that some of the PHP vulnerabilities can be exploited by malicious users to bypass certain security restrictions, which could cause a denial of service or compromise a vulnerable system.

The vulnerability details:

  • An unspecified error in the FastCGI SAPI can be exploited to cause a stack-based buffer overflow.

  • An unspecified error exists in processing incomplete multibyte characters within "escapeshellcmd()."

  • A security issue is caused due to an unspecified error. No further information is currently available.

  • An error in cURL can be exploited to bypass the "safe_mode" directive.

  • A boundary error in PCRE can potentially be exploited by malicious people to cause a DoS or compromise a vulnerable system.

    • * Photo credit: Stefan Esser's Month of PHP Bugs project.

    Create, Communicate, Collaborate with IT Professionals at Ziff Davis Enterprise IT Link

    Posted by Ryan Naraine on May 2, 2008 9:47 AM

    | Comments (0) | del.icio.us | digg.com | Trackback | Post a Comment
    View all of
    TrackBack

    TrackBack

    http://securitywatch.eweek.com/cgi-bin/mte/mt-tb.cgi/13487

    Post a Comment

     
     


    RSS Syndication

    Breaking News

    Advertisement

    Apple

    Browsers

    Cisco

    Corporate espionage

    Disaster Planning

    eBay

    Exploits and Attacks

    Flaws

    Google

    Identity Theft

    Intrusion Detection/Prevention

    Mergers and Acquisitions

    Microsoft Windows

    Open Source

    Oracle

    Patches

    Phishing and Fraud

    Privacy

    Product Reviews

    Rootkits

    Spam

    Virus and Spyware

    Vulnerability Research

    Advertisement
    Security Watch     Contact Us | Advertise | Site Map
    Ziff Davis Enterprise

    Ziff Davis Enterprise Home | Contact Us | Advertise | Link to Us | Reprints | Magazine Subscriptions | Newsletters
    RSS Feeds | White Papers | ROI Calculators | Tech Podcasts | Tech Video |

    Baseline | Careers | Channel Insider | CIO Insight | DesktopLinux | DeviceForge | DevSource | eSeminars |
    eWEEK | LinuxDevices | Linux Watch | Microsoft Watch | Mid-market | Networking | PDF Zone |
    Publish | eWeek Security | Strategic Partner | Web Buyer's Guide | Windows for Devices

    Developer Shed | Dev Shed | ASP Free | Dev Articles | Dev Hardware | SEO Chat | Tutorialized | Scripts |
    Code Walkers | Web Hosters | Dev Mechanic | Dev Archives | IT Marketplace | igrep

    Use of this site is governed by our Terms of Use and Privacy Policy

    Copyright ©1996-2007 Ziff Davis Enterprise, Inc. All Rights Reserved. Security Watch is a trademark of Ziff Davis Enterprise, Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise Inc. is prohibited.
    Ziff Davis Enterprise