Some vulnerabilities have been reported in PHP, which can be exploited by malicious people to bypass certain security restrictions, cause a DoS (Denial of Service), and potentially compromise a vulnerable system.

1) An error within the "SAPI_POST_HANDLER_FUNC()" function in rfc1867.c when handling file names via a "multipart/form-data" POST request can be exploited to append a "/" or "\" character before the file name and e.g. delete files from the root directory.

2) An error related to the "error_log()" function can be exploited to cause a crash.

3) An error within the implementation of the "crypt()" function can be exploited to cause a buffer overflow by providing an overly long salt.

4) A boundary error within the implementation of the "socket_connect()" function can be exploited to cause a stack-based buffer overflow.

5) A use-after-free error exists within the implementation of the "substr_replace()" function.

Note: The crypt_blowfish implementation was also updated to enhance its security.

Solution
Update to version 5.3.7.

Provided and/or discovered by
1) Krzysztof Kotowicz
2) The vendor credits Mateusz Kocielski
3) Reported by the vendor
4) Mateusz Kocielski, Marek Kroemekem, and Filip Palian
5) Felipe Pena

Changelog
Further details available to Secunia VIM customers

Original Advisory
PHP:
http://www.php.net/archive/2011.php#id2011-08-18-1
http://bugs.php.net/bug.php?id=54939
http://bugs.php.net/bug.php?id=54238

Krzysztof Kotowicz:
http://pastebin.com/1edSuSVN

Deep Links
Links available to Secunia VIM customers