Security issue is_a function in PHP 5.3.7+

Type securityvulns
Reporter Securityvulns
Modified 2011-09-26T00:00:00


PHP 5.3.7 changed the behavior of the is_a() function, used to check if an object is an instance of a class, to call the __autoload() function. This causes a remote code execute problem when coupled with a standard library like PEAR that internally uses is_a to check if a returned variable is an Error object or not.

An unprotected __autoload() function that blindly includes based upon the variable it receives can be tricked into including a remote file by, for example, uploading a specially crafted file containing a link to a remote website.

Full explanation + code example has been posted on our website at and has been e-mailed to

-- Cipriano Groenendal