Information for PHP developers...
Regards Sandeep Thakur ---------- Forwarded message ---------- From: <[email protected]> Date: Fri, Sep 23, 2011 at 8:03 PM Subject: Security issue is_a function in PHP 5.3.7+ To: [email protected] PHP 5.3.7 changed the behavior of the is_a() function, used to check if an object is an instance of a class, to call the __autoload() function. This causes a remote code execute problem when coupled with a standard library like PEAR that internally uses is_a to check if a returned variable is an Error object or not. An unprotected __autoload() function that blindly includes based upon the variable it receives can be tricked into including a remote file by, for example, uploading a specially crafted file containing a link to a remote website. Full explanation + code example has been posted on our website at http://www.byte.nl/blog/2011/09/23/security-bug-in-is_a-function-in-php-5-3-7-5-3-8/ and has been e-mailed to [email protected] -- Cipriano Groenendal -- You received this message because you are subscribed to the Google Groups "nforceit" group. To post to this group, send an email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.
