CVE-2006-1490

Name of the Vulnerable Software and Affected Versions: PHP versions prior to 5.1.3-RC1 PHP versions 5.1.2 and prior PHP versions 5.0.5 and prior PHP versions 4.4.2 and prior PHP versions 4.3.11 and prior

Description: The issue is related to the html entity decode() function in PHP, which is not binary safe. This can be exploited to disclose certain parts of the memory via a script calling the html entity decode() function with input controlled by the attacker and where the result is sent to the attacker. Information gathered by exploiting this issue may aid other attacks.

Recommendations: For PHP versions 5.1.2 and prior, update to version 5.1.3-RC1 or later. For PHP versions 5.0.5 and prior, update to version 5.0.6 or later, or to version 5.1.3-RC1 or later. For PHP versions 4.4.2 and prior, update to version 4.4.3 or later, or to version 5.1.3-RC1 or later. For PHP versions 4.3.11 and prior, update to version 4.3.12 or later, or to version 5.1.3-RC1 or later. As a temporary workaround, consider restricting the use of the html entity decode() function until a patch is available.