PHP 4.4.x before 4.4.9, and 5.x through 5.2.6, when used as a FastCGI module, allows remote attackers to cause a denial of service (crash) via a request with multiple dots preceding the extension, as demonstrated using foo..php. Overview contains a typo, should read "PHP 5.2 through 5.2.6" not "5.6 through 5.2.6".
Publication date: Fri, 15 Aug 2008 05:41:00 +0000