A vulnerability in the PHP unserialize() function was announced at the SyScan 2010 security conference. Proof of concept exploit code has been published publicly. PHP developers have committed a fix to their source code repository (see link below), but have not released an offical fix as of this writing.
Affected versions:
PHP 5.2 <= 5.2.13
PHP 5.3 <= 5.3.2
References:
http://nibbles.tuxfamily.org/?p=1837
http://svn.php.net/viewvc?view=revision&revision=300843
http://php-security.org/2010/06/25/mops-2010-061-php-splobjectstorage-deserialization-use-after-freevulnerability/
email: david @ sharpesecurity.com
website: http://www.sharpesecurity.com/
Twitter: twitter.com/sharpesecurity
Subscribe to:
Post Comments (Atom)
Posts
No comments:
Post a Comment