>From the link: "The php_register_variable_ex function in php_variables.c in PHP 5.3.9 allows remote attackers to execute arbitrary code via a request containing a large number of variables, related to improper handling of array variables. NOTE: this vulnerability exists because of an incorrect fix" ======================= I wondered if it was memory handling, but what is it (I wonder out loud) that could be "improper" about my array handling. No error messages are thrown. Ken On Wed, Apr 24, 2013 at 4:14 PM, David OBrien <dgobrien@xxxxxxxxx> wrote: > On Wed, Apr 24, 2013 at 5:09 PM, Ken Kixmoeller <phphelp@xxxxxxxxxxx>wrote: > >> Hey - -- >> >> I have a huge screen -- to make it simple for the user, it does 100s of >> calls to MySQL and has 1,000s (literally) of POST variables. >> >> We have done extensive research and see that upgrading from php 5.1.6-27 >> to >> 5.1.6-39 is the thing that caused it to break. All other issues (Apache, >> PHP and MySQL configuration and Versions) have been methodically ruled >> out. >> >> >> Anybody experience this? Heard of it? Suggest a repair (other than >> changing >> my screen)? >> >> *** Please don't tell me to redesign the screen -- this may come, but now >> is an urgent situation.*** >> >> Worked fine in prior versions for the last 3 years. >> >> Thanks, >> >> Ken >> > > Looks like they fixed the bug that allowed that to work... > php-common-5.1.6-32.el5.x86_64<http://linuxsoft.cern.ch/cern/slc5X/x86_64/yum/updates/php-common-5.1.6-32.el5.x86_64.rpm> > [153 KiB] *Changelog* by Joe Orton (2012-02-02): - add security fix for > CVE-2012-0830 (#786756) > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0830 > > >
