So today is the first day of the Month of PHP Bugs project and we have the first of the bugs to be released under the project, and it seems we had 3 bugs today instead of the one we where expecting. 

We have a quick summary of these first 3 releases, MOPB-01-2007: PHP 4 Userland ZVAL Reference Counter Overflow Vulnerability, it is an issue affecting PHP 4 where by  userland code is able to overflow an internal 16-bit zval reference counter. You can find out more about the issue here along with PoC exploit code. This vulnerability has been known about for years within the PHP development team, and is addressed in PHP 5 yet it goes unfixed in PHP 4.

Next up is MOPB-02-2007: PHP Executor Deep Recursion Stack Overflow, this issue relates to a problem with deep recursion of PHP userland code that can be used to exhaust all available stack, at which point it could trigger a crash on the webserver that could affect other running sessions. You can read the full details here.

Finally we have MOPB-03-2007: PHP Variable Destructor Deep Recursion Stack Overflow, this is similar to the second issue. This is a deep recursion bug in the Zend engine variable destruction that could be used to remotely crash PHP installations. Again you can read the full vulnerability description here.

It seems this first day of the Month of PHP Bugs project is dedicated to OLD, yet UNFIXED PHP bugs. In an effort to highlight the inadequacies of the vulnerability management process used by the PHP Security Response Team.

Add this page to your favorite Social Bookmarking websites