FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2012-0830

This CVE name corresponds to:

Entered Topic
2012-02-04 php -- arbitrary remote code execution vulnerability

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

Details

Type Candidate
Name CVE-2012-0830
Phase Assigned(20120119)

Description

The php_register_variable_ex function in php_variables.c in PHP 5.3.9 allows remote attackers to execute arbitrary code via a request containing a large number of variables, related to improper handling of array variables. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-4885.

References

Source Reference
MLIST [oss-security] 20120202 PHP remote code execution introduced via HashDoS fix
MLIST [oss-security] 20120203 Re: PHP remote code execution introduced via HashDoS fix
MISC http://thexploit.com/sec/critical-php-remote-vulnerability-introduced-in-fix-for-php-hashtable-collision-dos/
MISC http://www.h-online.com/security/news/item/Critical-PHP-vulnerability-being-fixed-1427316.html
MISC https://gist.github.com/1725489
CONFIRM http://svn.php.net/viewvc?view=revision&revision=323007
CONFIRM http://www.php.net/ChangeLog-5.php#5.3.10
CONFIRM http://support.apple.com/kb/HT5281
APPLE APPLE-SA-2012-05-09-1
DEBIAN DSA-2403
HP HPSBMU02786
HP SSRT100877
HP HPSBUX02791
HP SSRT100856
REDHAT RHSA-2012:0092
SUSE openSUSE-SU-2012:0426
BID 51830
OSVDB 78819
SECTRACK 1026631
SECUNIA 47806
SECUNIA 47801
SECUNIA 47813
SECUNIA 48668
XF php-phpregistervariableex-code-exec(72911)