p2pnet.net News:- Hardened-PHP says multiple critical vulnerabilities that allow local and remote execution of arbitrary code have been found in PHP 4 / 5.

“During the development of Hardened-PHP which adds security hardening features to the PHP codebase, several vulnerabilities within PHP were discovered that reach from bufferoverflows, over information leak vulnerabilities and path truncation vulnerabilities to safe_mode restriction bypass vulnerabilities,” it says.

Vulnerable scripts include:

• phpBB2
• Invision Board
• vBulletin
• Woltlab Burning Board 2.x
• Serendipity Weblog
• phpAds(New)

However, the just-released v0.2.4 backports several security fixes that went into PHP 4.3.10, and also has a few new features, says the site, adding:

“Most probably it will be the last release in the 0.2.x series because the 0.3.x tree is currently in a closed beta test.”

Hardened-PHP “strongly recommends” upgrading to the new PHP-Releases a soon as possible, “because a lot of PHP applications expose the easy to exploit unserialize() vulnerability to remote attackers. Additionally we always recommend to run PHP with the Hardened-PHP patch applied.”

Hardened-PHP says it won’t be releasing vulnerability exploits to the public.

===================

See:-
critical vulnerabilities - Multiple vulnerabilities within PHP 4/5, Hardened-PHP, December 15, 2004

This entry was posted on Friday, December 17th, 2004 at 6:59 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

HOME

Viewed 4057 times