Re: [oss-security] CVE request: is_a() function may allow arbitrary code execution in PHP 5.3.7/5.3.8

hi,

Btw, the correct fix (and less restrictive) is to disable
allow_url_include, not allow_url_fopen.

Cheers,

On Sat, Sep 24, 2011 at 3:56 PM, Vincent Danen <vdanen@redhat.com> wrote:
> Could a CVE be assigned for this flaw?  PHP 5.3.7 changed how the is_a()
> function worked, and as a result it could allow for remote arbitrary
> code execution if certain specific conditions are met (the blog post
> referenced below has a good writeup of the flaw).
>
> http://www.byte.nl/blog/2011/09/23/security-bug-in-is_a-function-in-php-5-3-7-5-3-8/
> https://bugs.php.net/bug.php?id=55475
> https://bugzilla.redhat.com/show_bug.cgi?id=741020
>
> It looks like this is the fix:
>
> http://svn.php.net/viewvc/?view=revision&amp;revision=317183
>
> Thanks.
>
> --
> Vincent Danen / Red Hat Security Response Team

-- Pierre @pierrejoye | http://blog.thepimp.net | http://www.libgd.org

• This message: [ Message body ]
• Next message: Zeev Suraski: "[oss-security] RE: CVE request: is_a() function may allow arbitrary code execution in PHP 5.3.7/5.3.8"
• Previous message: Pierre Joye: "[oss-security] Re: CVE request: is_a() function may allow arbitrary code execution in PHP 5.3.7/5.3.8"
• In reply to: Vincent Danen: "[oss-security] CVE request: is_a() function may allow arbitrary code execution in PHP 5.3.7/5.3.8"
• Next in thread: Josh Bressers: "Re: [oss-security] CVE request: is_a() function may allow arbitrary code execution in PHP 5.3.7/5.3.8"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]