14 DAY TRIAL // The security researcher and the developer of the Suhosin PHP Extension, Stefan Esser, found a serious arbitrary remote code execution vulnerability and reported it to the PHP Group. As a result, PHP 5.3.10 was released to address the issue.
It’s not certain if the older versions are affected, but the latest stable version is, H Security reports.
It turns out that the problem is caused by the security update to PHP 5.3.9 released to mitigate the denial of service attacks that rely on hash collisions. This was basically done by limiting the maximum possible number of input parameters to 1,000 in the max_input_vars variable.
However, the way this was implemented allows attackers to exceed the limit and remotely inject and execute arbitrary code over the web.
Esser recommends the use of Suhosin which “greately mitigates” and even “completely kills” the issue if user is in default configuration. PHP 5.3.10 is available for download here.