[2011-09-24 19:21 UTC] grinyad at mail dot ru
// make a Pdo_Mysql statement before
$result = $stmt->fetch(PDO::FETCH_LAZY);
$_SESSION['PDORow'] = $result;
Is crashing on next request after saving PDORow to session on session_start()
[2011-09-24 19:24 UTC] email@example.com
What do you mean by "crashing"? Is the actual PHP process crashing, or
are you just getting an error message because PDO statements aren't
serialisable (which is expected)?
[2011-09-25 08:56 UTC] grinyad at mail dot ru
Is a Apache crash. It gives a CGI/FastCGI Send/Don't Send window.
After few minutes is crashing apache server:
[2011-09-25 12:39 UTC] firstname.lastname@example.org
PDORow objects may not be serialized and therefore not be put in a session. In
svn it was fixed to throw a warning and not crash anymore this will be in
Fixed in dev-lang/php-5.3.9 - added to existing GLSA request.
The PDORow implementation in PHP before 5.3.9 does not properly interact
with the session feature, which allows remote attackers to cause a denial of
service (application crash) via a crafted application that uses a PDO driver
for a fetch and then calls the session_start function, as demonstrated by a
crash of the Apache HTTP Server.
This issue was resolved and addressed in
GLSA 201209-03 at http://security.gentoo.org/glsa/glsa-201209-03.xml
by GLSA coordinator Sean Amoss (ackle).