News Archive
PhpRiot Newsletter
Your Email Address:

More information

PHP 5.4.3 and 5.3.13 fix several security issues

Note: This article was originally published at Planet PHP on 17 April 5760.
Planet PHP

The PHP team has announced PHP 5.4.3 and 5.3.13, fixing two separate security issues.

  • CVE-2012-2311 and CVE-2012-1823 are both fixed now. These are the CVE numbers for the PHP-CGI bug that has been announced by Eindbazen last week, and extensively covered by myself in various posts.

  • In addition, CVE-2012-2329 has been fixed, another issue in PHP-CGI. This was a heap overflow triggered by specially crafted HTTP headers and a script executing apache_request_headers().

I have tested my own exploit against the new version (5.4 only, I have no 5.3 setup) and there does not seem to be a possibility to exploit the vectors opened in CVE-2012-2311 and CVE-2012-1823. These issues seem to be fixed now. I have no exploit code for CVE-2012-2329, so I cannot make a statement if it is fixed yet.

Read the announcement here: PHP 5.4.3/5.3.13 release announcement

The download page for PHP 5.4.3 is here, the download for 5.3.13 is over here.