Critical Vulnerabilities Patched in PHP

The PHP development team has released PHP 5.3.7 in order to address critical security vulnerabilities and patch a large number of other bugs that affect its stability.

The new version fixes a number of six security flaws including two that could be exploited to execute arbitrary code on underlying systems.

One use-after-free vulnerability, identified as CVE-2011-1148, stems from an error in the substr_replace() function and has a 7.5 base score on the CVSS scale.

Attackers can exploit this flaw to execute malicious code or to trigger a denial of service condition.

A stack buffer overflow vulnerability (CVE-2011-1938) located in the socket_connect() function can lead to similar consequences and was also addressed. So was a file path injection bug (CVE-2011-2202) reported by Krzysztof Kotowicz.

"An error within the 'SAPI_POST_HANDLER_FUNC()' function in rfc1867.c when handling file names via a 'multipart/form-data' POST request can be exploited to append a '/' or '\' character before the file name and e.g. delete files from the root directory," explains vulnerability management vendor Secunia.

The new release also patches a vulnerability in the crypt() function that can be exploited to cause a buffer overflow by providing an overly long salt, together with a denial of service flaw in error_log().

As far as security is concerned, PHP 5.3.7 also features an updated crypt_blowfish implementation which resolves an issue with 8-bit passwords.

The bundled Sqlite3 and PCRE packages have been updated to version 3.7.7.1 and 8.12 respectively and there are also over 80 stability bug patches included in this release.

"All PHP users should note that the PHP 5.2 series is NOT supported anymore. All users are strongly encouraged to upgrade to PHP 5.3.7," the developers note.

The latest version of PHP can be downloaded from here.