Secunia

Stefan Esser has discovered some vulnerabilities and a weakness in PHP, which can be exploited by malicious users to disclose potentially sensitive information or to gain escalated privileges.

1) An error in the "array_user_key_compare()" function where key references are incorrectly destroyed can be exploited to cause memory corruption.

2) An error in the handling of resource data can be exploited to destroy and replace certain resources by interrupting the processing PHP function (e.g. functions of the GD extension). This allows read and write access to arbitrary memory addresses.

Successful exploitation of these vulnerabilities allows execution of arbitrary code, which can lead to security restrictions, such as the "disable_functions" directive, being bypassed.

3) An error in the handling of references in functions can be exploited to read arbitrary heap memory via a user space error handler interrupting e.g. the "iptcembed()" function.

The vulnerabilities are confirmed in version 5.2.1 and also reported in version 4.4.6. Other versions may also be affected.

Solution
Update to version 5.2.2 or 4.4.7 to fix vulnerability #1. Grant only trusted users permissions to execute PHP code.

Provided and/or discovered by
Stefan Esser

Changelog
Further details available in Customer Area

Original Advisory
PHP:
http://www.php.net/releases/5_2_2.php
http://www.php.net/releases/4_4_7.php

MOPB:
1) http://www.php-security.org/MOPB/MOPB-24-2007.html

2) http://www.php-security.org/MOPB/MOPB-27-2007.html
http://www.php-security.org/MOPB/MOPB-28-2007.html

3) http://www.php-security.org/MOPB/MOPB-37-2007.html

Deep Links
Links available in Customer Area