search menu icon-carat-right cmu-wordmark

CERT Coordination Center

PHP getSymbol vulnerability allows denial of service

Vulnerability Note VU#479900

Original Release Date: 2010-11-30 | Last Revised: 2010-11-30


PHP fails to properly sanitize input passed to the getSymbol function in a way that could allow and attacker to cause a segmentation fault.


PHP is a scripting language that is designed for web-based applications and can be embedded directly into HTML.

The getSymbol function in PHP versions prior to 5.3.3 revision 305571 contains an integer overflow vulnerability. For more information about this issue, see the PHP CVS log.


A remote attacker could cause a segmentation fault in PHP, leading to a denial of service.



PHP 5.3.3 revision 305571 was released to address this vulnerability.

Vendor Information

Affected   Unknown   Unaffected

The PHP Group

Updated:  November 30, 2010



Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A



Thanks to Maksymilian Arciemowicz for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: None
Severity Metric: 5.04
Date Public: 2010-11-19
Date First Published: 2010-11-30
Date Last Updated: 2010-11-30 20:28 UTC
Document Revision: 9

Sponsored by CISA.