Re: SecurityReason : PHP 5.2.6 dba_replace() destroying file

[Ilia Alshanetsky <ilia@xxxxxxxxxxx>]

The PHP 4.X tree has been discontinued and all users should upgrade to  
the 5.x tree.


On 6-Dec-08, at 7:47 AM, Eygene Ryabinkin wrote:

> Maksymilian, Ilia, good day.
>
> Thu, Nov 27, 2008 at 11:54:44PM -0000, cxib@xxxxxxxxxxxxxxxxxx wrote:
> > [ SecurityReason.com PHP 5.2.6 dba_replace() destroying file ]
> [...]
> > - --- 1. dba_replace() destroying file ---
> >
> > Function dba_replace() are not filtring strings key and value. There
> > is a possibility the destruction of the file.
>
> This vulnerability exists in 4.x line as well and it is still  
> unpatched.
> Had verified it for dba extension from 4.4.9.
>
> According to the revision log,
>  
> http://cvs.php.net/viewvc.cgi/php-src/ext/dba/libinifile/inifile.c?view=log&pathrev=
> there is no fix in the official PHP tree for 4.x yet.
> --
> Eygene

Ilia Alshanetsky