Best IMG Board Script?? (253)

46 Name: Anonymous : 2008-11-17 18:34 ID:6fnTTb2s [Del]

Note-avoid php-received this from bugtraq not too long ago:
Several vulnerabilitites were found in PHP:

  • PHP ships a vulnerable version of the PCRE library which allows for
    the circumvention of security restrictions or even for remote code
    execution in case of an application which accepts user-supplied
    regular expressions (CVE-2008-0674).
  • Multiple crash issues in several PHP functions have been
    discovered.
  • Ryan Permeh reported that the init_request_info() function in
    sapi/cgi/cgi_main.c does not properly consider operator precedence
    when calculating the length of PATH_TRANSLATED (CVE-2008-0599).
  • An off-by-one error in the metaphone() function may lead to memory
    corruption.
  • Maksymilian Arciemowicz of SecurityReason Research reported an
    integer overflow, which is triggerable using printf() and related
    functions (CVE-2008-1384).
  • Andrei Nigmatulin reported a stack-based buffer overflow in the
    FastCGI SAPI, which has unknown attack vectors (CVE-2008-2050).
  • Stefan Esser reported that PHP does not correctly handle multibyte
    characters inside the escapeshellcmd() function, which is used to
    sanitize user input before its usage in shell commands
    (CVE-2008-2051).
  • Stefan Esser reported that a short-coming in PHP's algorithm of
    seeding the random number generator might allow for predictible
    random numbers (CVE-2008-2107, CVE-2008-2108).
  • The IMAP extension in PHP uses obsolete c-client API calls making
    it vulnerable to buffer overflows as no bounds checking can be done
    (CVE-2008-2829).
  • Tavis Ormandy reported a heap-based buffer overflow in
    pcre_compile.c in the PCRE version shipped by PHP when processing
    user-supplied regular expressions (CVE-2008-2371).
  • CzechSec reported that specially crafted font files can lead to an
    overflow in the imageloadfont() function in ext/gd/gd.c, which is
    part of the GD extension (CVE-2008-3658).
  • Maksymilian Arciemowicz of SecurityReason Research reported that a
    design error in PHP's stream wrappers allows to circumvent safe_mode
    checks in several filesystem-related PHP functions (CVE-2008-2665,
    CVE-2008-2666).
  • Laurent Gaffie discovered a buffer overflow in the internal
    memnstr() function, which is used by the PHP function explode()
    (CVE-2008-3659).
  • An error in the FastCGI SAPI when processing a request with
    multiple dots preceding the extension (CVE-2008-3660).

if you're determined to use PHP, upgrade to the latest version, though as you can see its track record isn't the best.

Name: Link:
Leave these fields empty (spam trap):
More options...
Verification: