Description

The Zend Engine in PHP before 5.4.16 RC1, and 5.5.0 before RC2, does not properly determine whether a parser error occurred, which allows context-dependent attackers to cause a denial of service (memory consumption and application crash) via a crafted function definition, as demonstrated by an attack within a shared web-hosting environment. NOTE: the vendor's http://php.net/security-note.php page says "for critical security situations you should be using OS-level security by running multiple web servers each as their own user id.

Remediation

References

CVE-2013-3735

Related Vulnerabilities

TYPO3 Improper Authentication Vulnerability (CVE-2015-2047)

Apache HTTP Server Other Vulnerability (CVE-2010-0408)

Joomla Improper Input Validation Vulnerability (CVE-2006-4468)

WordPress Plugin Category List Portfolio Page TimThumb Arbitrary File Upload (1.2.3)

phpMyAdmin Improper Input Validation Vulnerability (CVE-2006-6943)

Severity

Medium

Classification

CVE-2013-3735 CWE-20

Tags

Missing Update Known Vulnerabilities