Security hole uncovered in PHP

Multiple security vulnerabilities have been found in the popular open-source PHP scripting language, potentially affecting millions of Web servers running early versions of PHP for Apache server software on Linux or Solaris.

The vulnerabilities could allow a remote attacker to execute commands on a victim's system or cause other server disruptions, according to security experts. The vulnerability only affects servers that run versions of PHP up to and including 4.1.1.

PHP is an HTML-embedded scripting tool used for creating dynamic Web pages.

Patches are available, or users can download the latest version of PHP, 4.1.2, to resolve the security concerns. PHP is a project of The Apache Software Foundation in Forest Hill, Maryland.

PHP can also be used with other Web server software in addition to Apache, although the security holes haven't been found in other environments.

Alfred Huger, a vice president of engineering at security company SecurityFocus in San Mateo, Calif., said the vulnerability is a threat, but its "saving grace" is that it's presently too difficult for the average hacker to exploit. Patches or upgrading should be done by users, though, because it won't be long before hackers figure out how to make its use easier, he said.

The vulnerability is a "fairly vanilla buffer overflow," Huger said, which means an attacker floods a system with specifically crafted data to exploit a security hole.

Advisories about the problem have been posted on a wide range of security Web sites, including the CERT Coordination Center at Carnegie Mellon University in Pittsburgh; the SANS Institute in Bethesda, Md.; and German security company e-matters GmbH.

Rasmus Lerdorf, a San Francisco-based developer who created the original version of PHP, said the buffer overflow is only possible on servers with PHP file upload features turned on. Such file-upload features are popular with sites that typically receive a lot of files from customers, such as large Internet service providers. The vulnerability is serious, he said, because it allows the sending of a malformed, bogus file upload request that can crash a server. But patching the program or replacing it with the new version solves the problem, he said. "It's pretty easy to protect your site from it," he said.

Netcraft Ltd., a U.K.-based security and network management business, reported that the PHP vulnerability could affect about 1 million Web sites, according to its own internal Web usage surveys. About 10 million Web sites, or approximately 65 percent of the sites surveyed by Netcraft, use the Apache Web server. The vulnerable version of PHP was seen on about 8.4 million sites using its research methods, Netcraft reported. Netcraft spokesmen were unavailable for comment this afternoon.

Join the newsletter!

Error: Please check your email address.

More about ApacheCERT AustraliaMellonNetcraftSANS InstituteSecurityFocusThe SANS Institute

Show Comments

Market Place

[]