PHP 5.1.2 has been released: http://www.php.net/release_5_1_2.php The release announcement mentions this security fix: * Possible cross-site scripting problems in certain error conditions. The problem exists in the way PHP displays error messages. This issue is only exploitable when 'display_errors' and 'html_errors' are both set to 'On' in the PHP configuration file. When a HTML error message was being generated, the output was not properly sanitized, which could allow an attacker to insert arbitrary HTML, thus allowing a XSS attack. This issue is only exploitable if 'html_errors' is on, which the configuration file cleary states should not be used on production machines. I have verified this flaw exists in the PHP 4.3 and 5.1 branches.
This issue also affects RHEL3 and RHEL2.1
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2006-0276.html