CVE-2011-3379

Vulnerability

The is_a() function in PHP 5.3.7 and 5.3.8 incorrectly triggers the __autoload() function when the first argument is not an object [1]. This behavior deviates from previous versions and can be exploited when combined with custom autoloaders or PEAR packages that rely on is_a() for type checking [3].

Exploitation

An attacker can provide a crafted URL as the first argument to is_a() (e.g., through a user-supplied variable). If the application uses an __autoload() function that includes remote files or performs unsafe operations based on the class name, the attacker can trigger inclusion of a remote file, leading to code execution [2][3]. No authentication is required; the vulnerability is accessible via web input that reaches the is_a() call.

Impact

Successful exploitation allows remote attackers to execute arbitrary PHP code on the server, potentially gaining full control of the affected system. The impact is high, with complete compromise of confidentiality, integrity, and availability.

Mitigation

The issue is fixed in PHP 5.3.9 [2]. Users should upgrade to PHP 5.3.9 or later. As a workaround, avoid using is_a() with non-object arguments, or ensure autoloaders do not execute remote includes. Patches are available for PHP 5.4 and HEAD [1].