PHP falls down security hole
TechWorld.com - Servers running PHP are vulnerable to a number of serious security exploits, including some that could allow an attacker to execute malicious code, as well as denial-of-service exploits, according to the PHP Group.
The project has issued updates fixing the bugs, available from the PHP Web site and directly from various operating system vendors. "All Users of PHP are strongly encouraged to upgrade to this release," the PHP Group said in its advisory.
PHP, an open-source programming language mainly for server-side applications, runs on server operating systems such as Linux, Unix, Mac OS X and Windows.
Several of the flaws were discovered in PHP's EXIF module, used to handle the Exchangeable Image file format (EXIF) specification used by digital cameras. A bug in the module's exif_process_IFD_TAG() function could be exploited by a specially crafted "Image File Directory" (IFD) tag to cause a buffer overflow and execute malicious code with the privileges of the PHP server, according to Mandriva, which issued its update yesterday.
A second EXIF module bug could lead to an infinite recursion, causing the executed program to crash.
Another flaw, first disclosed by iDefense, affects the "php_handle_iff()" and "php_handle_jpeg()" functions and could be exploited by a specially formed image to cause infinite loops and consume all available CPU resources, creating a denial of service. The PHP update fixes a number of other security flaws, mostly less serious, as well as non-security-related bugs.
Independent security firm Secunia originally gave the flaws a non-critical ranking, but later changed its rating to "highly critical" as more information came to light, the company said.
Updates are being distributed by Debian, Gentoo, Suse and others.



- Excel 2010 Cheat Sheet
- Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.
- Reducing the Cost and Complexity of Web Vulnerability Management
- Hackers and cybercriminals are constantly refining their attacks and targets; which means you need agile tools to stay ahead of them.
Download this... - Overcome Top 7 Admin Challenges of Active Directory
- As Active Directory's role in the enterprise has drastically increased, so has the need to secure the data. Gain insight on creating repeatable,...
- Insiders Can Ruin Your Company. Take Action.
- Did you know that 80 percent of threats to an organization come from the inside? The threat from insiders is often overlooked in...
- Top Solutions and Tools to Prevent Devastating Malware
- Custom malware frequently goes undetected. According to Forrester Research, the best way to reduce risk of breach is to deploy file integrity monitoring...
- Streamline Compliance and Increase ROI
- Streamline, simplify, and automate compliance related activities; especially those that impact multiple business units. This white paper from NetIQ, outlines solutions that will... All Malware and Vulnerabilities White Papers
- Optimizing Networks for the Cloud
- Join guest speaker, Rohit Mehra, IDC Director of Enterprise Communications Infrastructure, to explore current trends, discuss best practices for optimizing Data Center and...
- Apps QuickStart Series Part 2: Designing and Deploying SQL Server on VMware vSphere
- Download this webcast to learn about the design considerations for virtualizing SQL workloads, performance and scalability information and high-availability options, as well as...
- Apps QuickStart Series Part 1: Designing and Deploying Exchange 2010 on VMware vSphere
- Download this webcast to learn the virtual hardware design considerations for Exchange 2010, deployment using the building block approach, options for high-availability and...
- Customer Spotlight: How IPC The Hospitalist Company Implemented Oracle on VMware
- Have you been looking to hear about customer's experiences with the new VMware vCenter Site Recovery Manager product? View this webcast to learn...
- Virtualize Business-Critical Applications with Confidence
- Virtualizing business-critical applications has become a key focus for organizations as they move along their virtualization journey. With the launch of VMware vSphere®... All Malware and Vulnerabilities Webcasts