PHP 'is_a()' Function Remote Arbitrary Code Execution Vulnerability (Windows) Network Vulnerability

Summary

This host is installed with PHP and is prone to remote arbitrary code execution vulnerability.

Impact

Successful exploitation could allow remote attackers to execute arbitrary PHP code by including arbitrary files from remote resources. Impact Level: Application/System

Solution

Update to version 5.3.9 or later, For updates refer to http://php.net/downloads.php

Insight

The flaw is due to error in 'is_a()' function. It receives strings as first argument, which can lead to the '__autoload()' function being called unexpectedly and do not properly verify input in their '__autoload()' function, which leads to an unexpected attack vectors.

Affected

PHP Version 5.3.7 and 5.3.8 on windows.

References

http://secunia.com/advisories/46107/
http://www.byte.nl/blog/2011/09/23/security-bug-in-is_a-function-in-php-5-3-7-5-3-8/
http://www.securityfocus.com/archive/1/519770/30/0/threaded
https://bugzilla.redhat.com/show_bug.cgi?id=741020

Updated on 2015-03-25

Severity

Classification

CVE CVE-2011-3379

CVSS	Base Score: 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Adobe Air Multiple Vulnerabilities - December12 (Windows)
Adobe Acrobat Multiple Vulnerabilities April-2012 (Windows)
Adobe AIR Multiple Vulnerabilities -01 April 13 (Windows)
Adobe Acrobat Sandbox Bypass Vulnerability - Aug14 (Windows)
Adobe Acrobat Multiple Vulnerabilities-01 Sep14 (Windows)

Take action and discover your vulnerabilities