It was reported [1],[2] that due to changes in the is_a() function [3],[4] PHP 5.3.7 and 5.3.8 became vulnerable to remote arbitrary code execution when is_a() is used in certain ways. Due to the __autoload() implementation, if a user were able to upload a crafted file, it could be possible to pass the contents of the file as an argument to the __autoload() function which could in turn use that argument as a file to include(). If there was no adequate checking or enforcement of the file to load being, local, this could lead to including a remote script from a remote web site. An example of a vulnerable __autoload() function could be: function __autoload($class_name) { include $class_name . '.php'; } In the above example, were $class_name to include a remote URL, and if allow_url_fopen was enabled in php.ini, this could result in loading a remote PHP script on the server. This flaw does not affect PHP versions prior to 5.3.7 were this change was introduced. A fix is in PHP's subversion repository (r317183) [5]. [1] http://www.byte.nl/blog/2011/09/23/security-bug-in-is_a-function-in-php-5-3-7-5-3-8/ [2] https://bugs.php.net/bug.php?id=55475 [3] https://bugs.php.net/bug.php?id=53727 [4] http://svn.php.net/viewvc/?view=revision&revision=312904 [5] http://svn.php.net/viewvc/?view=revision&revision=317183 Statement: Not vulnerable. This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 4, 5, or 6.
Created php tracking bugs for this issue Affects: fedora-all [bug 741022]
A better (and less restrictive) work-around for this flaw is to disable allow_url_include rather than allow_url_fopen.
This has been assigned the name CVE-2011-3379
php-5.3.8-3.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
php-5.3.8-3.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.
php-5.3.8-3.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.