The SecurityReason website has three new advisories posted concerning the latest release in the PHP 5 series:
- PHP 5.2.4 <= dl() open_basedir_bypass&code exec&dos - input for the dl() function is not handled correctly and can lead to arbitrary code being loaded and executed
- PHP <=5.2.4 iconv_substr() denial of service - memory limit issue can be used in a DoS attack
- PHP < 5.2.4 setlocale() denial of service - memory limit issue can be used for a DoS attack
The dl() overflow is marked as a medium threat (largely because it allows for arbitrary code execution) but the other two are shown as low threat. A patch is also given for the dl() issue to help correct the problem.