PHP 4.4.1 has been released, which addresses a cross site scripting vulnerability in the commonly used phpinfo() call, and includes fixes for safe_mode vulnerabilities and $GLOBALS superglobal session variables, which could lead to the compromise of PHP scripts that were otherwise thought to be secure. A vulnerable PHP script that is exploited often leads to the web server being compromised and provides the opportunity for privilege escalation and potential full system compromise.
Vulnerable PHP scripts are increasingly being targeted by automated tools that compromise systems and use them for website defacements and phishing attacks. Users of PHP 4.x are urged to upgrade to PHP 4.4.1 as soon as possible.
Posted by: Kelly Martin