PHP flaw leaves two million servers open

Webmasters are on the alert this morning over a serious vulnerability in the popular PHP server-side scripting language.

PHP is thought to be the most commonly deployed Apache web server module, and security experts have indicated that over two million installations could be at risk.

Security authority the Computer Emergency Response Team (Cert) released an advisory today stating that PHP versions 4.2.0 and 4.2.1 are at risk from a remotely exploitable vulnerability which could crash a server.

The section of code at fault handles file uploads, specifically multi-part form data, which is used to send different types of information over the internet in one bundle.

By sending a specifically crafted 'Post' request to the web server, an attacker could corrupt the internal data structures used by PHP and crash the server.

Under some circumstances, an intruder might be able to take advantage of this flaw to execute arbitrary code with the privileges of the web server, according to Cert.

It should be noted that machines running on x86 architecture may be secure against the arbitrary code vulnerability due to the way the stack is structured, but they can still be crashed.

Cert advises upgrading to PHP version 4.2.2.

Internet Security Systems' X-Force added that the vulnerability should be considered serious because of the widespread use of PHP.

"It is used primarily in Apache web server environments and is supported by all major web servers and operating systems," it said.

However, the security group stated that there is no widespread circulation of an exploit for this vulnerability as yet.

More details can be found here.