All the latest UK technology news, reviews and analysis
|
|
|
28 Feb 2002
Website administrators using the popular PHP scripting software were warned yesterday to upgrade their systems to quash a number of "critical" security holes.
According to advisories from PHP.net, all versions of the software are vulnerable to memory allocation bugs in file upload support, that could allow a hacker to gain control of web servers using the software.
Currently, the finer details of the vulnerabilities have been kept under wraps in a bid to delay the appearance of exploit scripts on the hacker underground.
But it is thought that at least one tool may currently be in circulation that is capable of cracking a PHP server, although it may not be in widespread use yet.
An advisory from Internet Security Systems X-Force reads: "X-Force has verified that a functional exploit for one of the vulnerabilities exists and may be actively circulating in the computer underground."
The security firm also warned that the vulnerability could have a significant impact on the web.
Netcraft reports that as of January 2002, there are over 20.8 million active Apache installations, which account for 57 per cent of sites surveyed.
Meanwhile, Secure Space reports that PHP is the most popular Apache module available, with over 1.44 million active installations.
PHP is widely used as a website engine but is also offered as a service by many hosting companies, so many of those at risk may not be aware of the threat.
However, Johannes Ullrich of the Sans Institute said he had seen the exploit code and noted that it was buggy and often ineffective.
"Exploit or hoax? I was not quite able to get it to work..." Ullrich did manage to access one server and crash another.
"This exploit may be very sensitive to particular Apache/PHP configurations," he said, but "upgrading to PHP 4.1.1 appears to be the safe bet at this point."
More info is available at PHP.net. The Sans advisory is available here, and the ISS advisory is available here.
It has also been noted by Hackinthebox.org that a quick fix, without upgrading, is to turn off 'File_Uploads' in your PHP.ini file.
Latest stories from Security
Related articles
Related jobs
Poll
Are you confident that the UK's IT infrastructure is secure from attack in the wake of the Flame malware revelations?
V3 examines the key strengths and weaknesses of Samsung's latest iPhone killer
Connect with V3.co.uk
Social networking is almost ubiquitous. This white paper examines the benefits and risks and it looks at the different ways companies can reconcile them
The importance of understanding your infrastructure
Credit Risk Modeller, SAS, London, £50,000 Title- Credit...
My London client is looking for an experienced Programme...
My leading client is looking for a number of excellent...
My client, a leading international name in Manufacturing...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?