Description

This alert was generated using only banner information. It may be a false positive.

The PHP development team would like to announce the immediate availability of PHP 5.2.3. This release continues to improve the security and the stability of the 5.X branch as well as addressing two regressions introduced by the previous 5.2 releases. These regressions relate to the timeout handling over non-blocking SSL connections and the lack of HTTP_RAW_POST_DATA in certain conditions. All users are encouraged to upgrade to this release.

Security Enhancements and Fixes in PHP 5.2.3:

  • Fixed an integer overflow inside chunk_split() (by Gerhard Wagner, CVE-2007-2872)
  • Fixed possible infinite loop in imagecreatefrompng. (by Xavier Roche, CVE-2007-2756)
  • Fixed ext/filter Email Validation Vulnerability (MOPB-45 by Stefan Esser, CVE-2007-1900)
  • Fixed bug #41492 (open_basedir/safe_mode bypass inside realpath()) (by bugs dot php dot net at chsc dot dk)
  • Improved fix for CVE-2007-1887 to work with non-bundled sqlite2 lib.
  • Added mysql_set_charset() to allow runtime altering of connection encoding.


Affected PHP versions (up to 5.2.2).

Remediation

Upgrade PHP to the latest version.

References

PHP 5.2.3 Release Announcement

PHP Homepage

Related Vulnerabilities

WebLogic CVE-2018-11039 Vulnerability (CVE-2018-11039)

WordPress Improper Authentication Vulnerability (CVE-2014-0166)

Plone CMS Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2012-5490)

Joomla Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2006-6832)

WordPress Other Vulnerability (CVE-2004-1584)

Severity

High

Classification

CVE-2007-1900 CVE-2007-2756 CVE-2007-2872 CWE-1104 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Missing Update Denial Of Service Code Execution