<<< JPCERT/CC Alert 06.02.12 >>>
Vulnerability in PHP 5.3.9
Information regarding a vulnerability in PHP 5.3.9 was released on
February 2, 2012. A remote attacker could use this vulnerability to
execute arbitrary code.
JPCERT/CC has confirmed that PoC (Proof of Concept) code which
exploits this vulnerability has been released publicly, so it
recommends updating PHP on servers managed to the corrected version
supplied by the PHP Group (PHP 5.3.10).
PHP 5.3.10 Released!
Those using PHP versions PHP 5.3.8 or earlier are not affected by
this vulnerability. However, known vulnerabilities may allow execution
of arbitrary code or denial of service (DoS) attacks, so updating to
the latest version is recommended.
II. Products Affected
The following version is affected by this vulnerability.
- PHP 5.3.9
The PHP Group has released a version that corrects this
vulnerability. We recommend deploying the corrected version after
thorough testing. Additionally, corrected versions are also being
provided by several distributors.
For more information, refer to information supplied by individual
- PHP 5.3.10
PHP For Windows: Binaries and sources Releases
* Support for PHP 5.2 ended in January 2011, so we recommend that
all using versions 5.2 and older update to the latest version.
February is Information Security Month. We recommend checking all
managed sites to ensure they do not have software with known
vulnerabilities or software which is no longer supported.
Red Hat, Inc
Debian Security Advisory
DSA-2403-1 php5 -- code injection
National Information Security Center
Information Security Month [ Information Security Site Protecting Japanese Citizens ]
If you have any further questions or information regarding this
alert, please contact JPCERT/CC.
JPCERT Coordination Center (JPCERT/CC)
TEL: +81-3-3518-4600 FAX: +81-3-3518-4602