Description
Stefan Esser reported some vulnerabilities in PHP, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.The vulnerabilities are caused due to boundary errors within the "htmlentities()" and "htmlspecialchars()" functions. If a PHP application uses these functions to process user-supplied input, this can be exploited to cause a heap-based buffer overflow by passing specially crafted data to the affected application. Successful exploitation may allow execution of arbitrary code, but requires that the UTF-8 character set is selected. For a detailed explanation of the vulnerability read the referenced article.
Vendor has released PHP 5.2.0 which fixes this issue.
Affected PHP versions (up to 4.4.4/5.1.6).
Remediation
Upgrade PHP to the latest version.
References
Related Vulnerabilities
WordPress Plugin FAQs Manager SQL Injection (1.0)
WordPress Plugin Arigato Autoresponder and Newsletter Multiple Unspecified Vulnerabilities (2.4.2)
WordPress Plugin Royal PrettyPhoto Cross-Site Scripting (1.2)
WordPress Plugin AccessAlly Information Disclosure (3.5.6)
WordPress Plugin Post to CSV by BestWebSoft Cross-Site Scripting (1.3.0)