Patches slapped on serious PHP flaws

Two software updates have been released to fix critical flaws that could allow an attacker to compromise servers using PHP, a programming language for Web pages.

The PHP Group, a software developer community, issued versions 4.3.10 and 5.0.3 of PHP this week to remedy the problems in the major versions of the Web page-processing program.

"All users of PHP are strongly encouraged to upgrade to one of these releases as soon as possible," the group advised on its Web site.

Arguably the most critical vulnerability is in a function used to compact data for storage. By exploiting the flaw, an attacker could take control of the Web server that runs a vulnerable version of the PHP: Hypertext Preprocessing (PHP), according to the Hardened-PHP group, which found the flaw.

Originally known as Personal Home Page, PHP consists of a server-side scripting language that can be embedded in Web pages to generate dynamic content, and the processing program required to act on the commands. Many blogging programs and content management applications are written in PHP.

The language can be used to control the content of a Web site, by interacting with a database to create pages in response to a visitor's clicks. Typically, a Web page holds snippets of PHP code that are run whenever a visitor requests that page. The code triggers the content displayed on the page, often pulling it from a database that holds articles, graphics and personalized settings, for example.

As a programming language, PHP is flexible enough to accomplish a variety of tasks. A Web server has to run the PHP processor program to interpret any pages containing the language.

In addition to the critical flaw, the Hardened-PHP community found six other vulnerabilities in PHP, according to an advisory released by the group. It also develops its own, security-hardened version of PHP, and has released its own fully patched version of the system with additional security features.

The PHP Group's updates, which fix those vulnerabilities and several smaller bugs, have been posted to the group's Web site.

Whoa, a flaw in an OPEN SOURCE product????

Gosh, IMAGINE THAT.

[Dachi]

And to be honest...

Things have been pretty quiet on the 2003 server front.

[David Arbogast]

yeah...

More eyes on the code didn't find this any quicker. But all software has bugs, and very few people are actually spending time just hunting for them. What bothers me, is that the article claims a "patch" was "slapped" on PHP... After reading the article, it seems that no patch is available?!? Users must upgrade to a new version?!? Why is no patch released?