Hi everybody! I want to tell that pretty nasty bug was discovered in PHP (all tested versions were vulnerable). I do not want to disclose much details as it may hurt many websites. I expect PHP team to make patch first. There is simple way to protect yourself against this bug if you put some code in beginning of every source code looking for weird ASCII bytes before any other code. Make some kind of "white-list" for characters you allow and deny everything else. More details to come when we have PHP patches distributed with major distributions. I might disclose details before to some IDS vendor or other trusted party. Tõnu
