6. August 2006

With the recent release of PHP 4.4.3 PHP.net finally closes the zend_hash_del_key_or_index hole (aka. unset() vulnerability) in PHP 4, that we found 6 month ago. Users of PHP 5.1.4 already have the same fix in their PHP.

The hole itself is deeply hidden within the Zend Engine and opens up a large number of securely written PHP applications to remote attackers (remote code execution, SQL injection, ...). For a detailed explanation of the vulnerability continue reading the article.