PHP Users at Risk?

A new patch is out for a prior version of open source scripting language PHP, which addresses a recently-discovered security issue in version 4.

But the current version of PHP 5 may also be at risk from vulnerabilities that aren’t currently patched in that version.

PHP is the 10-year-old open source language that is now taking aim at stealing market share from Microsoft’s .NET and Sun’s J2EE middleware frameworks.

PHP 5 was released in July 2004, and is the version that PHP backer Zend and its allies will be using as part of a new PHP Framework.

PHP 4.x is still widely used and deployed (arguably currently more widely used than PHP 5.X). PHP 4 and 5 are also widely deployed as a core component of countless Web sites and applications as part of the LAMP (Linux/Apache/MySQL/PHP) stack.

PHP security group, the Hardened-PHP Project, reported today that PHP 4.x and 5.x were at risk from a number of vulnerabilities that could lead to denial of service attacks against Web sites.

Other potential risks: Cross Site Scripting attacks and other security bypass vulnerabilities that could have allowed a malicious user unauthorized system access.

The changelog for the newly patched 4.4.1 release of PHP also identifies the corrected security issues. Beyond security fixes, the changelog notes that the 4.4.1 release fixes 35 other defects.

One of the critical vulnerabilities, according to the Hardened-PHP project, is an error in the “GLOBALS” array that could lead to an overwrite and a potential for remote unauthorized PHP code execution.

In addition, a potential Cross Site Scripting vulnerability in phpinfo(), which is an oft-used command to output information about the particulars of a PHP installation, is on the list of vulnerabilities.

As well, a potential integer overflow vulnerability, tagged by the Common Vulnerabilities and Exposures (CVE) list as CAN-2005-2491, has hit the fix list.

The PHP Development Team ( also released version 4.4.1 today, which fixes the vulnerabilities in PHP 4.x. However, PHP 5.05, the most recent stable version of PHP 5.x, has yet to be patched. As a result, Stefan Esser of the Hardened-PHP project claims that users of PHP 5.0.5 may be at risk.

Esser advises PHP users to use his firm’s “Hardening-Patch” to further secure their PHP installation.

“At the moment it is not clear if there will be a PHP 5.0.6 or if people are advised to directly update to PHP 5.1.0 which is planned to be released before the 10th of November,” Esser told “There actually exists a Release Candidate 4 of PHP 5.1.0 that is free of these vulnerabilities and the more people test it, the sooner PHP 5.1.0 comes out.”

News Around the Web