| Release Date | Mar 17, 2010 |
| Severity | High |
| Impact | Attackers can create cross-site scripting issues or execute arbitrary code. |
| Description | PHP is a scripting language which acts as a module for Apache or as a standalone interpreter.
This vulnerability can be exploited to execute arbitrary code on the remote host if the option memory_limit is set.
Another bug may allow an attacker to bypass content-restrictions in the function strip_tags() under certain conditions such as when register_globals is enabled.
These vulnerabilities has been confirmed in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3.
Some older versions may also be affected. |
| Recommended Actions | Upgrade to the latest version. |
| Common Vulnerabilities and Exposures (CVE) | http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0594
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0595
|
| Reference/s | http://www.securityfocus.com/bid/10724 (BugTraq)
|