Security researchers have identified numerous new vulnerabilities in PHP - the popular, open source web development environment. The critical security flaws create a possible means for hackers to conduct cross-site scripting attacks, bypass certain security restrictions or even (at least potentially) compromise a vulnerable system.

The vulnerabilities are reported to affect PHP versions 4.4.0 and prior. Users are advised to update to version 4.4.1 (release notes here [1]). Most of this batch of PHP security vulnerabilities (summary [2]) were discovered by Stefan Esser, of the Hardened-PHP Project, which has published a series of advisories here [3].

The security bugs described by the Hardened-PHP Project are yet to be developed into s'kiddie friendly exploits. But the past appearance of PHP-targeting worms [4], and the damage they caused, really ought to prompt the rapid deployment of security updates. ®

Links

1. http://www.php.net/release_4_4_1.php
2. http://secunia.com/advisories/16502
3. http://www.hardened-php.net/advisories.15.html
4. http://www.theregister.co.uk/2004/12/21/santy_worm

Related stories

• Linux worm targets PHP flaw (7 November 2005)

  http://www.channelregister.co.uk/2005/11/07/linux_worm/

• Web attacks soar (27 April 2005)

  http://www.channelregister.co.uk/2005/04/27/zone-h_defacement_survey/

• Santy worm defaces thousands of sites (21 December 2004)

  http://www.theregister.co.uk/2004/12/21/santy_worm/

• PHP flaws pose hacker risk (28 February 2002)

  http://www.theregister.co.uk/2002/02/28/php_flaws_pose_hacker_risk/

• First PHP virus found (5 January 2001)

  http://www.theregister.co.uk/2001/01/05/first_php_virus_found/