Jasper Bryant-Greene

Name of the Vulnerable Software and Affected Versions: PHP versions prior to 5.1.3-RC1 PHP versions 5.1.2 and prior PHP versions 5.0.5 and prior PHP versions 4.4.2 and prior PHP versions 4.3.11 and prior Description: The issue is related to the `html entity decode()` function in PHP, which is not binary safe. This can be exploited to disclose certain parts of the memory via a script calling the `html entity decode()` function with input controlled by the attacker and where the result is sent to the attacker. Information gathered by exploiting this issue may aid other attacks. Recommendations: For PHP versions 5.1.2 and prior, update to version 5.1.3-RC1 or later. For PHP versions 5.0.5 and prior, update to version 5.0.6 or later, or to version 5.1.3-RC1 or later. For PHP versions 4.4.2 and prior, update to version 4.4.3 or later, or to version 5.1.3-RC1 or later. For PHP versions 4.3.11 and prior, update to version 4.3.12 or later, or to version 5.1.3-RC1 or later. As a temporary workaround, consider restricting the use of the `html entity decode()` function until a patch is available.