Scripting Flaw Leaves Servers Vulnerable | eWeek

Scripting Flaw Leaves Servers Vulnerable

Écrit par
Dennis Fisher
Dennis Fisher
Jul 22, 2002
2 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

Security researchers have found a serious vulnerability in PHP, a scripting language used in creating dynamic Web pages, that could give an attacker control of some vulnerable Web servers.

Parser Hypertext Preprocessor (PHP) is an embedded HTML scripting language used mainly by Web servers running on Linux machines. It is a server-side language and is favored by Web developers for its compatibility with many database types. Along with Microsoft Corp.s Active Server Pages (ASP) and Sun Microsystems Inc.s Java Server Pages (JSP), PHP is one of the most common scripting languages on the Internet.

A flaw in the way that versions 4.2.0 and 4.2.1 handle error conditions triggered by a malformed post request could either lead to the server crashing or the attacker gaining control of the machine, according to an advisory published Monday by Stefan Esser, of e-Matters Security, a German security company. Esser is a PHP developer and previously has found several other bugs in PHP.

PHP contains code for parsing the headers of HTTP post requests. The code is used to differentiate between variables and files sent by the user agent in a “multipart/form-data” request. This parser has insufficient input checking, leading to the vulnerability, according to the PHP Groups bulletin.

Anyone who can send HTTP post requests to an affected web server, either locally or remotely, can exploit this vulnerability.

The flaw is most serious on Sun systems with Sparc chips running the Solaris operating system, Esser said, in that an attacker is able to free chunks of memory that he controls, giving him the ability to execute code. On systems based on Intel Corp. chips, an attacker would only be able to crash the Web server using this vulnerability, Esser said.

The PHP Group has released a new version, 4.2.2, which fixes the vulnerability. It is available for download here.

Related Stories:

  • Crackers Exploit PHP Vulnerabilities
  • More Security Coverage
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.