June 20, 2009
PHP dev team released new version of PHP 5.2.x two days ago. This version brings a few security fixes and a lot of bug squashing. Alas, there was one seriously wrong fix. A bug that we’ll call "PHP safe_mode bypass with exec/system/passthru" was supposedly fixed in this latest version. Supposedly. It’s still there. And here is a proof of concept. I’ll wait with upgrading to 5.2.10.
