Following the footsteps of MOAB, MOKB, MOBB, the Hardened-PHP Project declares March as the Month of PHP Bugs and promptly publishes three PHP flaws, one of which comes with an exploit to boot:

• PHP Variable Destructor Deep Recursion Stack Overflow
  - destruction of deeply nested PHP arrays can exhaust all available stack leading to remotely triggerable crashes

• PHP Executor Deep Recursion Stack Overflow (CVE-2006-1549)
  - deep recursion of PHP userland code can exhaust all available stack sometimes leading to a remotely triggerable crash

• PHP 4 Userland ZVAL Reference Counter Overflow Vulnerability
  - PHP 4 userland code is able to overflow the internal 16bit zval reference counter by creating many references to a variable leading to an exploitable double dtor condition
  - comes with an exploit

The project clarifies that it is not going after bugs in the PHP language itself, rather it aims to divulge flaws and security vulnerabilities in the PHP core, the Zend Engine, and PHP extensions.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!