Several new versions of PHP have been released, fixing a number of security vulnerabilities and other bugs in the popular scripting language.
PHP 5.6.5 is the newest version of the language, and it has patches for a handful of vulnerabilities, including a use-after-free flaw that could lead to remote code execution in some cases.
βSapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a .php file, does not properly consider the mappingβs length during processing of an invalid file that begins with a # character and lacks a newline character, which causes an out-of-bounds read and might (1) allow remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or (2) trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping,β the description of the vulnerability says.
There are a few other security vulnerabilities fixed in version 5.6.5, as well. One involves an initialized pointer in Exif. Another is a fix for a vulnerability that initially was patched in December. Apparently the patch did not completely fix the problem, which was identified by researcher Stefan Esser. The vulnerability is another use-after-free bug.
βThere is a small but important difference to the patch I sent on 10th December. You use zend_symtable_find instead of zend_hash_find from my patch. Because of this change the fix is incomplete. It now detects attacks that try to replace a key like βAAAβ, but it does not fix attacks where the key is a numerical string like β123β. The reason for this is that we do not want integer keys in objects. That is why the code was added in the first place,β Esser said in an email to the PHP maintainers.
βThe object properties are therefore inserted via zend_hash_update, instead of zend_symtable_update. Therefore something like β123β will be inserted as a string and not as a numerical 123. On the attempt to do the overwrite attack you now check with zend_symtable_find(). This function will turn the β123β into a numerical β123β and therefore not see that it is already there. The protection will not be executed and therefore the attack works in the same way as before.β