Several new versions of PHP have been released, fixing a number of security vulnerabilities and other bugs in the popular scripting language.
PHP 5.6.5 is the newest version of the language, and it has patches for a handful of vulnerabilities, including a use-after-free flaw that could lead to remote code execution in some cases.
“Sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a .php file, does not properly consider the mapping’s length during processing of an invalid file that begins with a # character and lacks a newline character, which causes an out-of-bounds read and might (1) allow remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or (2) trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping,” the description of the vulnerability says.
There are a few other security vulnerabilities fixed in version 5.6.5, as well. One involves an initialized pointer in Exif. Another is a fix for a vulnerability that initially was patched in December. Apparently the patch did not completely fix the problem, which was identified by researcher Stefan Esser. The vulnerability is another use-after-free bug.
“There is a small but important difference to the patch I sent on 10th December. You use zend_symtable_find instead of zend_hash_find from my patch. Because of this change the fix is incomplete. It now detects attacks that try to replace a key like “AAA”, but it does not fix attacks where the key is a numerical string like “123”. The reason for this is that we do not want integer keys in objects. That is why the code was added in the first place,” Esser said in an email to the PHP maintainers.
“The object properties are therefore inserted via zend_hash_update, instead of zend_symtable_update. Therefore something like “123” will be inserted as a string and not as a numerical 123. On the attempt to do the overwrite attack you now check with zend_symtable_find(). This function will turn the “123” into a numerical “123” and therefore not see that it is already there. The protection will not be executed and therefore the attack works in the same way as before.”