The open-source PHP Group has released a fix for a pair of security holes
that could be exploited to execute arbitrary code on remote PHP servers.
The flaws affect PHP versions 4.3.7 and prior and version 5.0.0RC3 and
prior. The final version of PHP 5.0, which was released
earlier this week, is not affected.
Fixes have been included in the updated PHP 4.3.8, and the PHP Group
is strongly encouraging users to upgrade.
According to research firm Secunia, the flaws carry a “highly critical”
rating, because it could allow malicious attackers to seize control of
vulnerable servers and use a Web browser to launch dangerous code.
The flaws were discovered by E-matters researcher Stefan Esser during a
re-audit of the PHP code. Esser posted an alert online
to warn that the vulnerabilities affect PHP servers with activated
“memory_limit.”
“During a re-audit of the memory_limit problematic it was discovered that
it is possible for a remote attacker to trigger the memory_limit request
termination in places where an interruption is unsafe. This can be abused to
execute arbitrary code on remote PHP servers,” the researcher warned.
Essert said the more serious of the two bugs was “quite easy to exploit”
and is exploitable on any platform.
The second flaw was found in PHP’s “strip_tags()” function that fails to
strip obfuscated HTML tags. Essert said the hole could be exploited to
conduct cross-site scripting attacks against sites, which only rely on the
“strip_tags()” functionality to prevent such attacks.
PHP is a general-purpose scripting language that is backed by the
open-source Apache Project. It is shipping standard with a number of
Linux-powered Web servers as an Apache module and has enjoyed startling usage growth over the last four
years. According to Netcraft statistics for June 2004, PHP is currently in
use on at least 16 million domains.