by Dennis Fisher January 23, 2015
Several new versions of PHP have been released, fixing a number of security vulnerabilities and other bugs in the popular scripting language.
PHP 5.6.5 is the newest version of the language, and it has patches for a handful of vulnerabilities, including a use-after-free flaw that could lead to remote code execution in some cases.
“Sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a .php file, does not properly consider the mapping’s length during processing of an invalid file that begins with a # character and lacks a newline character, which causes an out-of-bounds read and might (1) allow remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or (2) trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping,” the description of the vulnerability says.
Full Article
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.