|Main Archive Page > Month Archives > oss-security archives|
Btw, the correct fix (and less restrictive) is to disable
allow_url_include, not allow_url_fopen.
On Sat, Sep 24, 2011 at 3:56 PM, Vincent Danen <firstname.lastname@example.org> wrote:
> Could a CVE be assigned for this flaw? PHP 5.3.7 changed how the is_a()
> function worked, and as a result it could allow for remote arbitrary
> code execution if certain specific conditions are met (the blog post
> referenced below has a good writeup of the flaw).
> It looks like this is the fix:
> Vincent Danen / Red Hat Security Response Team