Home/ Questions/Q 4092506
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-20T19:30:00+00:00

I currently have a web server running PHP 5.2.13 and have recently been told:

  • 0

I currently have a web server running PHP 5.2.13 and have recently been told:

Synopsis :

The remote web server uses a version of PHP that is affected by
multiple flaws.

Description :

According to its banner, the version of PHP 5.2 installed on the
remote host is older than 5.2.15. Such versions may be affected by
several security issues :

  • A crash in the zip extract method.

  • A possible double free exists in the imap extension.
    (CVE-2010-4150)

  • An unspecified flaw exists in ‘open_basedir’.
    (CVE-2010-3436)

  • A possible crash could occur in ‘mssql_fetch_batch()’.

  • A NULL pointer dereference exists in
    ‘ZipArchive::getArchiveComment’. (CVE-2010-3709)

  • A crash exists if anti-aliasing steps are invalid.
    (Bug #53492)

  • A crash exists in pdo_firebird getAttribute(). (Bug 53323)

  • A user-after-free vulnerability in the Zend engine when
    a ‘_set()’, ‘_get()’, ‘_isset()’ or ‘_unset()’
    method is called can allow for a denial of service
    attack. (Bug #52879 / CVE-2010-4697)

  • A stack-based buffer overflow exists in the
    ‘imagepstext()’ function in the GD extension. (Bug 53492 / CVE-2010-4698)

  • An error exists when processing invalid XML-RPC
    requests that can lead to a NULL pointer
    dereference. (bug #51288) (CVE-2010-0397)

  • An error exists in the function ‘fnmatch’ that can lead
    to stack exhaustion.

  • An error exists in the sqlite extension that could
    allow arbitrary memory access.

  • A memory corruption error exists in the function
    ‘substr_replace’.

  • The following functions are not properly protected
    against function interruptions :

addcslashes, chunk_split, html_entity_decode,
iconv_mime_decode, iconv_substr, iconv_mime_encode,
htmlentities, htmlspecialchars, str_getcsv,
http_build_query, strpbrk, strstr, str_pad,
str_word_count, wordwrap, strtok, setcookie,
strip_tags, trim, ltrim, rtrim, parse_str, pack, unpack,
uasort, preg_match, strrchr, strchr, substr, str_repeat
(CVE-2010-1860, CVE-2010-1862, CVE-2010-1864,
CVE-2010-2097, CVE-2010-2100, CVE-2010-2101,
CVE-2010-2190, CVE-2010-2191, CVE-2010-2484)

  • The following opcodes are not properly protected
    against function interruptions :

ZEND_CONCAT, ZEND_ASSIGN_CONCAT, ZEND_FETCH_RW
(CVE-2010-2191)

  • The default session serializer contains an error
    that can be exploited when assigning session
    variables having user defined names. Arbitrary
    serialized values can be injected into sessions by
    including the PS_UNDEF_MARKER, ‘!’, character in
    variable names.

  • A use-after-free error exists in the function
    ‘spl_object_storage_attach’. (CVE-2010-2225)

I’m not using a lot of these e.g. mssql_fetch_batch(), pdo_firebird getAttribute…

Basically I curious to know if this is all a major concern?

Thanks,

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    When software updates are released (especially server software and code interpreters), there is always a good reason.

    Do yourself a favor and update regularly your software packages. If security advisories have been released, don’t wait up and update right away.

    There are not a lot of changes to take into consideration between the PHP 5.2 branch and the 5.3 branch. One day, support for the 5.2 branch will be dropped and you’ll be forced to upgrade anyway. Take a look at the PHP 5.3.x Migration Guide.

    • The following opcodes are not properly protected against function interruptions :
      ZEND_CONCAT, ZEND_ASSIGN_CONCAT, ZEND_FETCH_RW (CVE-2010-2191)

    Don’t tell me you don’t use string concatenation (.) and assignment concatenation (.=) in your code.

    • 0