Vulnerability & Exploit Database

Back to search

RHSA-2009:0337: php security update

Severity CVSS Published Added Modified
10 (AV:N/AC:L/Au:N/C:C/I:C/A:C) December 23, 2008 September 12, 2009 July 04, 2017


PHP is an HTML-embedded scripting language commonly used with the ApacheHTTP Web server.A heap-based buffer overflow flaw was found in PHP's mbstring extension. Aremote attacker able to pass arbitrary input to a PHP script using mbstringconversion functions could cause the PHP interpreter to crash or,possibly, execute arbitrary code. (CVE-2008-5557)A flaw was found in the handling of the "mbstring.func_overload"configuration setting. A value set for one virtual host, or in a user's.htaccess file, was incorrectly applied to other virtual hosts on the sameserver, causing the handling of multibyte character strings to not workcorrectly. (CVE-2009-0754)A buffer overflow flaw was found in PHP's imageloadfont function. If a PHPscript allowed a remote attacker to load a carefully crafted font file, itcould cause the PHP interpreter to crash or, possibly, execute arbitrarycode. (CVE-2008-3658)A flaw was found in the way PHP handled certain file extensions whenrunning in FastCGI mode. If the PHP interpreter was being executed viaFastCGI, a remote attacker could create a request which would cause the PHPinterpreter to crash. (CVE-2008-3660)A memory disclosure flaw was found in the PHP gd extension's imagerotatefunction. A remote attacker able to pass arbitrary values as the"background color" argument of the function could, possibly, view portionsof the PHP interpreter's memory. (CVE-2008-5498)All php users are advised to upgrade to these updated packages, whichcontain backported patches to resolve these issues. The httpd web servermust be restarted for the changes to take effect.

Scan For This Vulnerability

Use our top-rated tool to discover, prioritize, and remediate your vulnerabilities

 Free InsightVM Trial




Related Vulnerabilities