PHP Update Quashes Security Bugs

PHP Update Quashes Security Bugs

The open-source PHP Group has released a high-priority update to fix multiple security vulnerabilities. The PHP 5.2.6 release (download here) corrects at least four documented security flaws of varying severity and also upgraded the bundled PCRE (Perl Compatible Regular Expressions) to version 7.6. Secunia has slapped a "moderately critical" label on this update and warnedthat some of the PHP vulnerabilities can be exploited by malicious users to bypass certain security restrictions, which could cause a denial of service or compromise a vulnerable system. The vulnerability details:  An unspecified error in the FastCGI SAPI can be exploited to cause a stack-based buffer overflow.  An unspecified error exists in processing incomplete multibyte characters within "escapeshellcmd()."  A security issue is caused due to an unspecified error. No further information is currently available.  An error in cURL can be exploited to bypass the "safe_mode" directive.  A boundary error in PCRE can potentially be exploited by malicious people to cause a DoS or compromise a vulnerable system.