search menu icon-carat-right cmu-wordmark

CERT Coordination Center

PHP getSymbol vulnerability allows denial of service

Vulnerability Note VU#479900

Original Release Date: 2010-11-30 | Last Revised: 2010-11-30

Overview

PHP fails to properly sanitize input passed to the getSymbol function in a way that could allow and attacker to cause a segmentation fault.

Description

PHP is a scripting language that is designed for web-based applications and can be embedded directly into HTML.


The getSymbol function in PHP versions prior to 5.3.3 revision 305571 contains an integer overflow vulnerability. For more information about this issue, see the PHP CVS log.

Impact

A remote attacker could cause a segmentation fault in PHP, leading to a denial of service.

Solution

Upgrade

PHP 5.3.3 revision 305571 was released to address this vulnerability.

Vendor Information

479900
 
Affected   Unknown   Unaffected

The PHP Group

Updated:  November 30, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

Thanks to Maksymilian Arciemowicz for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: None
Severity Metric: 5.04
Date Public: 2010-11-19
Date First Published: 2010-11-30
Date Last Updated: 2010-11-30 20:28 UTC
Document Revision: 9

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.