PHP Critical Security Fix Released

Number: AV12-004
Date: 06 February 2012

Purpose

The purpose of this advisory is to bring attention to the following critical security fix in PHP product.

Assessment

In December 2011, PHP released a security fix for a vulnerability which addressed a "hash collision" problem affecting various products, including php and .NET. See CCIRC Alert AL11-005 Hash Table Implementations Vulnerable to Attack (29 December 2011) http://www.publicsafety.gc.ca/prg/em/ccirc/2011/al11-005-eng.aspx

However, this security fix also introduced a critical remote code execution vulnerability. This new vulnerability may allow an attacker to craft a POST request which would execute code on a web server running PHP 5.3.9 in the context of the PHP based application.

As a result, PHP has released a critical security fix PHP 5.3.10

CVE: CVE-2012-0830

Suggested action

CCIRC recommends that administrators who updated their systems to PHP 5.3.9 test and deploy this critical security fix at their earliest convenience.

Reference:
http://isc.sans.org/diary/Critical+PHP+bug+patched/12520
http://www.securityfocus.com/bid/51830

Downloads:
http://php.net/downloads.php

Windows binaries can be found on:
http://windows.php.net/download/

Note to Readers

The Canadian Cyber Incident Response Centre (CCIRC) provides a focal point for Canada's cyber threat and vulnerability warning, analysis and response. CCIRC is responsible for assuring the resilience of national critical infrastructure through monitoring threats and coordinating a federal response to cyber security incidents of national interest. CCIRC operates in conjunction with the Government Operations Centre (GOC) within Public Safety Canada and is a key component of the government's all-hazards approach to emergency management and national security.

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca