Scripting Flaw Leaves Servers Vulnerable

A serious vulnerability in PHP could give an attacker control of vulnerable Web servers, say security researchers.

Security researchers have found a serious vulnerability in PHP, a scripting language used in creating dynamic Web pages, that could give an attacker control of some vulnerable Web servers.

Parser Hypertext Preprocessor (PHP) is an embedded HTML scripting language used mainly by Web servers running on Linux machines. It is a server-side language and is favored by Web developers for its compatibility with many database types. Along with Microsoft Corp.s Active Server Pages (ASP) and Sun Microsystems Inc.s Java Server Pages (JSP), PHP is one of the most common scripting languages on the Internet.

A flaw in the way that versions 4.2.0 and 4.2.1 handle error conditions triggered by a malformed post request could either lead to the server crashing or the attacker gaining control of the machine, according to an advisory published Monday by Stefan Esser, of e-Matters Security, a German security company. Esser is a PHP developer and previously has found several other bugs in PHP.

PHP contains code for parsing the headers of HTTP post requests. The code is used to differentiate between variables and files sent by the user agent in a "multipart/form-data" request. This parser has insufficient input checking, leading to the vulnerability, according to the PHP Groups bulletin.

Anyone who can send HTTP post requests to an affected web server, either locally or remotely, can exploit this vulnerability.

The flaw is most serious on Sun systems with Sparc chips running the Solaris operating system, Esser said, in that an attacker is able to free chunks of memory that he controls, giving him the ability to execute code. On systems based on Intel Corp. chips, an attacker would only be able to crash the Web server using this vulnerability, Esser said.

The PHP Group has released a new version, 4.2.2, which fixes the vulnerability. It is available for download here.

Related Stories:

  • Crackers Exploit PHP Vulnerabilities
  • More Security Coverage