heise online, the popular and well-known German IT news site, conveys four new vulnerabilities in the PHP script language. PHP is often used for web applications such as WordPress and many bulletin board systems like phpBB or vBulletin. The issues can be found in PHP versions up to (and including) 4.4.2 and 5.1.2, and the current CVS snapshots for the upcoming 5.1.3 release will be first to fix the issues. The first person who published the issues on his website and in the Full Disclosure mailing list is Maksymilian Arciemowicz. The four errors with different severity level are:

• An error in the copy() function circumvents the “Safe Mode” for users who are logged in at the system. Usually this “Safe Mode” prevents users from accessing files out of the bounds of their own home directories, but the copy() function doesn’t check it if it is fed with PHP file path names with a certain special format. This issue may be a security problem in shared hosting environments.
• The tempname() function may circumvent the “open basedir” restriction, another security feature of PHP, which has nearly the same purpose like the “Safe Mode”, but with less restrictions regarding PHP functions. The issue that is described by Arciemowicz may be misused for DoS attacks under special circumstances.
• The third leak may result in the crash of processes, which sounds more serious than it actually is, coz the attacker may only kill his own processes Well, at least this can be misused to add useless server load.
• The fourth issue is once again an XSS attack, but it is based upon the phpinfo() function, which should be rarely used in the wild (it is of nearly no interest for the usual visitor of a site, so it shouldn’t be too much of an issue). Yet, one should keep in mind, that these XSS attacks allow to read out cookies one shouldn’t have access to, insert malicious Javascript code and stuff like that, so it is at least a nasty issue.

Arciemowicz demonstrates each of the described issues with examples, so there is as well some danger these may be used as proof of concept demonstrations which will result in really bad code almost mandatorily.