ID :IRCNE2012021390
Date: 2012-02-04
IDG News Service - The PHP Group released PHP 5.3.10 on Thursday in order to address a critical security flaw that can be exploited to execute arbitrary code on servers running an older version of the Web development platform.
SecurityFocus classifies the issue as a design error because it was accidentally introduced while fixing a separate denial-of-service (DoS) vulnerability in early January.
This error can be exploited by attackers to remotely execute arbitrary code on a system that runs a vulnerable PHP installation. PHP 5.3.9 along with any older versions for which the hash collision DoS patch was backported, are affected, Eiram said.
Proof-of-concept code that exploits this vulnerability has already been published online, so the likelihood of attacks targeting CVE-2012-0830 are high. Web servers administrators are advised to upgrade to PHP 5.3.10 immediately.
- 2