News

CERT warns of PHP security holes

Security experts have warned that hackers could exploit vulnerabilities in the open source scripting language, Hypertext Preprocessor (PHP), to control Web servers.

PHP is a server-side scripting language often used by Web programmers to dynamically create HTML pages.

Vulnerabilities in code used to upload files to the server from a user's PC via a Web page could allow a hacker to take temporary control of the web server using PHP.

It could also interrupt normal operations of the Web server, warned the US-based Computer Emergency Response Team/Coordination Centre (CERT).

PHP can be installed on Web servers such as Apache, IIS, Caudium, iPlanet and OmniHTTPd, CERT said.

According to a warning posted by Stefan Esser of the German Web-design and security company e-matters, there are several flaws in the "php_mime_split" function used by PHP to handle multipart/form-data POST requests.

CERT has recommended that users upgrade to the newest version, PHP 4.1.2, or apply patches to older versions.

PHP is an open source project of the Apache Software Foundation. Patches are available from its PHP support site, www.php.net .

PHP is included with many distributions of the Linux open-source operating system. Linux developers Red Hat and MandrakeSoft have be made aware of the holes in PHP and are working to eradicate the problems as well as offer patches for their customers, CERT said.

Full details are contained in the CERT-CC advisory at www.cert.org/advisories/CA-2002-05.html.

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy