• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

       

New PHP security vulnerabilities
Published: 2005-11-01

New vulnerabilities have been found in version 4 of the wildly popular PHP scripting language, thanks to recent advisories from the Hardened PHP Project. The announcement does not appear to affect PHP 5.0.5.

PHP 4.4.1 has been released, which addresses a cross site scripting vulnerability in the commonly used phpinfo() call, and includes fixes for safe_mode vulnerabilities and $GLOBALS superglobal session variables, which could lead to the compromise of PHP scripts that were otherwise thought to be secure. A vulnerable PHP script that is exploited often leads to the web server being compromised and provides the opportunity for privilege escalation and potential full system compromise.

Vulnerable PHP scripts are increasingly being targeted by automated tools that compromise systems and use them for website defacements and phishing attacks. Users of PHP 4.x are urged to upgrade to PHP 4.4.1 as soon as possible.

Posted by: Kelly Martin

       

Expand all | Post comment