PHPDeveloper.org: SecurityReason.com: PHP 5.2.4 Released...unpatched

	News Feed
	Jobs Feed

Sections

Tutorials

Books

Events

Talks

Jobs

Recent Jobs

Job Posting: Chegg Seeks Senior PHP Developer (Santa Clara, CA)

Job Posting: TEKSystems (Recruiter) Seeks PHP Web Application Developers (Tampa, FL)

Job Posting: Quinstreet, Inc. Seeks Sr. PHP Developer (Foster City, CA)

Job Posting: WideEye Interactive/Moroch Advertising Seeks Web Developer (Dallas, TX)

Job Posting: Project People Ltd (Recruiter) Seeks PHP Developer (Paris, France)

Job Posting: Snelling (Recruiter) Seeks Web Programmer (Boston, MA)

Job Posting: Veedow Seeks Senior PHP Developer/Architect (London, UK)

Job Posting: Apex Systems (Recruiter) Seeks PHP Web Developers (Tampa, FL)

Job Posting: WordStream Seeks Web Application Developer (Needham, MA)

Job Posting: JS Creative Seeks Web Developer (Atlanta, GA)

News Archive

Job Posting: Chegg Seeks Senior PHP Developer (Santa Clara, CA)

Robert Basic's Blog: MyUrl view helper for Zend Framework

Laknath Semage's Blog: PHP + Large files

NETTUTS.com: Mimicking Apple's Address Book for the Web

Martynas Jusevicius' Blog: Method overloading in PHP 5

DevShed: Authentication Scripts for a User Management Application

Community News: PHP Advent 2008

Ibuildings Blog: Zend_Paginator: First Impressions

Community News: Latest PECL Releases for 12.02.2008

Till's Blog: ZendFramework (performance) II

SecurityReason.com:
PHP 5.2.4 Released...unpatched

by Chris Cornutt September 05, 2007 @ 11:43:00

As mentioned by the International PHP Magazine, Maksymilian Arciemowicz has posted about some testing he's been doing on the newly released PHP 5.2.4 and has still found some issues with it.

In 30 August PHP Team have released new version PHP with number 5.2.4. We have tested this version and now we can say, that not all issues from PHP 5.2.3 are patched. It is possible bypass safe_mode, open_basedir and disabled_functions.

The issue he describes is the lack of a "mail.force_extra_parameters" setting in the php.ini still making it possible to exploit the mail() function to execute arbitrary PHP code.

0 comments voice your opinion now!
release php5 mail function arbitrary code phpini setting patch release php5 mail function arbitrary code phpini setting patch

Similar Posts

PHP.net: PHP 5.1.1 Released!

David Sklar\'s Blog: Two New O\'Reilly PHP Translations

Zend Developer Zone: Zend Framework Beta 0.9.3 Released

Danne Lundqvist's Blog: Problem sending mail with PHP mail function

Christian Stocker's Blog: Upload Progress Meter extension for PHP 5.2

Community Events

Don't see your event here?
Let us know!

All content copyright, 2008 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework