PHP is a server-side scripting language often used by Web programmers to dynamically create HTML pages.
Vulnerabilities in code used to upload files to the server from a user's PC via a Web page could allow a hacker to take temporary control of the web server using PHP.
It could also interrupt normal operations of the Web server, warned the US-based Computer Emergency Response Team/Coordination Centre (CERT).
PHP can be installed on Web servers such as Apache, IIS, Caudium, iPlanet and OmniHTTPd, CERT said.
According to a warning posted by Stefan Esser of the German Web-design and security company e-matters, there are several flaws in the "php_mime_split" function used by PHP to handle multipart/form-data POST requests.
CERT has recommended that users upgrade to the newest version, PHP 4.1.2, or apply patches to older versions.
PHP is an open source project of the Apache Software Foundation. Patches are available from its PHP support site, www.php.net .
PHP is included with many distributions of the Linux open-source operating system. Linux developers Red Hat and MandrakeSoft have be made aware of the holes in PHP and are working to eradicate the problems as well as offer patches for their customers, CERT said.
Full details are contained in the CERT-CC advisory at www.cert.org/advisories/CA-2002-05.html.