PHP Vulnerability Threatens Web Servers
Tuesday, July 23, 2002 by mcs2k1 | Discussion: WinCustomize News
A flaw found in newer versions of the PHP Web server scripting language could allow attackers to crash, and in some cases control, computers over the Internet, an open-source developer group announced Monday.
The vulnerability affects versions 4.2.0 and 4.2.1 of PHP, according to the PHP Group. The flaw compromises different computer architectures in different ways: Web servers running on Intel IA-32 hardware could crash, while other systems, including Sun Microsystems' Solaris, could allow the attacker to infiltrate the computer.
The flaw occurs because of a problem in the way PHP handles the memory allocated for data recovered from customer forms on Web pages. Such data is known as POST data, after the HTTP command name, and could be formatted by an attacker in a way to compromise the Web server.
"If you are running PHP 4.2.x, you should upgrade as soon as possible," Stefen Esser, a member of the PHP Group and the developer who discovered the scripting flaw, wrote in the advisory. "If you cannot upgrade for whatever reason, the only way to workaround this is to disable all kind of POST requests you server."
The flaw is the second major security hole to affect PHP this year. In February, another vulnerability that affected more versions of the scripting server and that could have led to a greater number of compromises was announced.
Source: http://www.neowin.net
The vulnerability affects versions 4.2.0 and 4.2.1 of PHP, according to the PHP Group. The flaw compromises different computer architectures in different ways: Web servers running on Intel IA-32 hardware could crash, while other systems, including Sun Microsystems' Solaris, could allow the attacker to infiltrate the computer.
The flaw occurs because of a problem in the way PHP handles the memory allocated for data recovered from customer forms on Web pages. Such data is known as POST data, after the HTTP command name, and could be formatted by an attacker in a way to compromise the Web server.
"If you are running PHP 4.2.x, you should upgrade as soon as possible," Stefen Esser, a member of the PHP Group and the developer who discovered the scripting flaw, wrote in the advisory. "If you cannot upgrade for whatever reason, the only way to workaround this is to disable all kind of POST requests you server."
The flaw is the second major security hole to affect PHP this year. In February, another vulnerability that affected more versions of the scripting server and that could have led to a greater number of compromises was announced.
Source: http://www.neowin.net
Please login to comment and/or vote for this skin.
Welcome Guest! Please take the time to register with us.
There are many great features available to you once you register, including:
- Richer content, access to many features that are disabled for guests like commenting on the forums and downloading skins.
- Access to a great community, with a massive database of many, many areas of interest.
- Access to contests & subscription offers like exclusive emails.
- It's simple, and FREE!
Reply #1 Wednesday, July 24, 2002 10:03 AM