The PHP Group has released a new PHP version to fix a “serious security vulnerability” that could lead to arbitrary code execution.
PHP, a project of the Apache Software Foundation, said it released the new version 4.3.1 to squash a bug in the CGI SAPI of an earlier version.
“Anyone with access to websites hosted on a web server which employs the CGI module may exploit this vulnerability to gain access to any file readable by the user under which the webserver runs,” the group warned, noting that the bug does not affect any other SAPI modules like Apache or ISAPI.
It warned that a remote attacker could also trick PHP into executing arbitrary PHP code if the intruder is able to inject the code into files accessible by the CGI. For example, PHP said the could be the Web server access-logs.
It said version 4.3.1, which incorporates a fix for the vulnerability, only contains fixes for this specific vulnerability, “so upgrading from 4.3.0 is safe and painless.”
The PHP project, created in 1995 by Rasmus Lerdorf, has seen startling usage growth since 1999 and recent adoption by Yahoo has put the general-purpose scripting language in front of an enterprise audience.
It is not the first serious vulnerability in PHP, which ships standard with a number of Web servers, including Red Hat Linux.
Last July, the PHP project issued a patch for an input-checking vulnerability that opened the door for hackers to gain Web server access. That patch corrected the POST parser method in the software standard, which looks at the incoming traffic’s headers and allows or rejects the data.