search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

PHP getSymbol vulnerability allows denial of service

Vulnerability Note VU#479900

Original Release Date: 2010-11-30 | Last Revised: 2010-11-30

Overview

PHP fails to properly sanitize input passed to the getSymbol function in a way that could allow and attacker to cause a segmentation fault.

Description

PHP is a scripting language that is designed for web-based applications and can be embedded directly into HTML.


The getSymbol function in PHP versions prior to 5.3.3 revision 305571 contains an integer overflow vulnerability. For more information about this issue, see the PHP CVS log.

Impact

A remote attacker could cause a segmentation fault in PHP, leading to a denial of service.

Solution

Upgrade

PHP 5.3.3 revision 305571 was released to address this vulnerability.

Vendor Information

479900
 
Expand all

The PHP Group Affected

Updated:  November 30, 2010

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

http://svn.php.net/viewvc?view=revision&revision=305571

Acknowledgements

Thanks to Maksymilian Arciemowicz for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: None
Severity Metric: 5.04
Date Public: 2010-11-19
Date First Published: 2010-11-30
Date Last Updated: 2010-11-30 20:28 UTC
Document Revision: 9

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis