Security threats Toolkit

Critical PHP flaw patched

Tags:
PHP

Published: 20 Dec 2004 08:40 GMT

Two software updates have been released to fix critical flaws that could allow an attacker to compromise servers using PHP, a programming language for Web pages.

The PHP Group, a software developer community, issued versions 4.3.10 and 5.0.3 of PHP this week to remedy the problems in the major versions of the Web page-processing program.

"All users of PHP are strongly encouraged to upgrade to one of these releases as soon as possible," the group advised on its Web site.

Arguably the most critical vulnerability is in a function used to compact data for storage. By exploiting the flaw, an attacker could take control of the Web server that runs a vulnerable version of the PHP: Hypertext Preprocessing (PHP), according to the Hardened-PHP group, which found the flaw.

Originally known as Personal Home Page, PHP consists of a server-side scripting language that can be embedded in Web pages to generate dynamic content, and the processing program required to act on the commands. Many blogging programs and content management applications are written in PHP.

The language can be used to control the content of a Web site, by interacting with a database to create pages in response to a visitor's clicks. Typically, a Web page holds snippets of PHP code that are run whenever a visitor requests that page. The code triggers the content displayed on the page, often pulling it from a database that holds articles, graphics and personalised settings, for example.

In addition to the critical flaw, the Hardened-PHP community found six other vulnerabilities in PHP, according to an advisory released by the group. It also develops its own, security-hardened version of PHP, and has released its own fully patched version of the system with additional security features.

The PHP Group's updates, which fix those vulnerabilities and several smaller bugs, have been posted to the group's Web site.