On December 26, 2008, Cenzic added enhanced support to their Web Server SmartAttack which includes updates to the PHP ‘mbstring’ Extension Buffer Overflow Vulnerability (BugtraqID 32948). PHP is prone to a buffer overflow vulnerability because it fails to perform boundary checks before copying user-supplied data to insufficiently sized memory buffers. Hackers can exploit this vulnerability by executing arbitrary machine code in the context of the affected Web server. Even failed attempts will likely crash the Web server, denying service to legitimate users. The following PHP versions are affected:
PHP/5.1.1 to PHP/5.1.6
PHP/5.0.0 to PHP/5.0.5
PHP/4.4.1 to PHP/4.4.9
PHP/4.3.1 to PHP/4.3.9 Detail information can be looked at
http://www.securityfocus.com/bid/32948/ To learn more details on how you can automatically update your Cenzic Hailstorm product, visit our Website.
Background on Cenzic’s SmartAttacks
Every week, Cenzic’s suite of products is updated with the latest vulnerabilities (custom, commercial, and open-source) to use when it emulates a hacker and attacks our customer’s Websites to detect their security posture. These Web application vulnerabilities include (but not limited to) cross site scripting, buffer overflow, path or directory traversal, SQL injection, HTTP response splitting, and other workflow types. by
Erin Swanson
ESwanson@cenzic.com | 
