CERT warns of PHP security holes

Security experts have warned that hackers could exploit vulnerabilities in the open source scripting language, Hypertext...

Security experts have warned that hackers could exploit vulnerabilities in the open source scripting language, Hypertext Preprocessor (PHP), to control Web servers.

PHP is a server-side scripting language often used by Web programmers to dynamically create HTML pages.

Vulnerabilities in code used to upload files to the server from a user's PC via a Web page could allow a hacker to take temporary control of the web server using PHP.

It could also interrupt normal operations of the Web server, warned the US-based Computer Emergency Response Team/Coordination Centre (CERT).

PHP can be installed on Web servers such as Apache, IIS, Caudium, iPlanet and OmniHTTPd, CERT said.

According to a warning posted by Stefan Esser of the German Web-design and security company e-matters, there are several flaws in the "php_mime_split" function used by PHP to handle multipart/form-data POST requests.

CERT has recommended that users upgrade to the newest version, PHP 4.1.2, or apply patches to older versions.

PHP is an open source project of the Apache Software Foundation. Patches are available from its PHP support site, www.php.net .

PHP is included with many distributions of the Linux open-source operating system. Linux developers Red Hat and MandrakeSoft have be made aware of the holes in PHP and are working to eradicate the problems as well as offer patches for their customers, CERT said.

Full details are contained in the CERT-CC advisory at www.cert.org/advisories/CA-2002-05.html.



Enjoy the benefits of CW+ membership, learn more and join.

Read more on IT risk management



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:




  • Dissecting the Hack

    In this excerpt from chapter three of Dissecting the Hack: The V3RB0TEN Network, authors Jayson E. Street, Kristin Sims and Brian...

  • Digital Identity Management

    In this excerpt of Digital Identity Management, authors Maryline Laurent and Samia Bousefrane discuss principles of biometrics ...

  • Becoming a Global Chief Security Executive Officer

    In this excerpt of Becoming a Global Chief Security Executive Officer: A How to Guide for Next Generation Security Leaders, ...