Scripting Flaw Leaves Servers Vulnerable
A serious vulnerability in PHP could give an attacker control of vulnerable Web servers, say security researchers.Security researchers have found a serious vulnerability in PHP, a scripting language used in creating dynamic Web pages, that could give an attacker control of some vulnerable Web servers. Parser Hypertext Preprocessor (PHP) is an embedded HTML scripting language used mainly by Web servers running on Linux machines. It is a server-side language and is favored by Web developers for its compatibility with many database types. Along with Microsoft Corp.s Active Server Pages (ASP) and Sun Microsystems Inc.s Java Server Pages (JSP), PHP is one of the most common scripting languages on the Internet.
A flaw in the way that versions 4.2.0 and 4.2.1 handle error conditions triggered by a malformed post request could either lead to the server crashing or the attacker gaining control of the machine, according to an advisory published Monday by Stefan Esser, of e-Matters Security, a German security company. Esser is a PHP developer and previously has found several other bugs in PHP.