Date: Sun, 25 Sep 2011 14:28:13 +0200 From: Pierre Joye <pierre.php@...il.com> To: oss-security@...ts.openwall.com Cc: security@....net Subject: Re: CVE request: is_a() function may allow arbitrary code execution in PHP 5.3.7/5.3.8 hi, Btw, the correct fix (and less restrictive) is to disable allow_url_include, not allow_url_fopen. Cheers, On Sat, Sep 24, 2011 at 3:56 PM, Vincent Danen <vdanen@...hat.com> wrote: > Could a CVE be assigned for this flaw? PHP 5.3.7 changed how the is_a() > function worked, and as a result it could allow for remote arbitrary > code execution if certain specific conditions are met (the blog post > referenced below has a good writeup of the flaw). > > http://www.byte.nl/blog/2011/09/23/security-bug-in-is_a-function-in-php-5-3-7-5-3-8/ > https://bugs.php.net/bug.php?id=55475 > https://bugzilla.redhat.com/show_bug.cgi?id=741020 > > It looks like this is the fix: > > http://svn.php.net/viewvc/?view=revision&revision=317183 > > Thanks. > > -- > Vincent Danen / Red Hat Security Response Team -- Pierre @pierrejoye | http://blog.thepimp.net | http://www.libgd.org
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.