A vulnerability discovered in the popular PHP scripting language could allow attackers to run arbitrary code on Web servers.
The flaw occurs in the way PHP handles HTTP POST requests, specifically multipart/form-data, according to an advisory from the CERT Coordination Center at Pittsburgh-based Carnegie Mellon University. Attackers could send special POST requests that corrupt PHP's data structures. In most cases, this will make the Web server crash. More savvy attackers could exploit the flaw to run arbitrary code on the system.
Anyone who can send HTTP POST requests to an affected machine can potentially exploit the vulnerability, the PHP Group said.
PHP often runs on systems running the Apache Web server. It is believed there are more than two million installations of PHP worldwide. However, of those two million, only those running versions 4.2.0 and 4.2.1 are affected, the PHP Group said.
Last February, a vulnerability was found in PHP that could also allow an attacker to run arbitrary code on the remote systems.
Stefan Esser, a 23-year-old German computer science student, found the flaw during his work at e-matters GmbH, a company that develops e-commerce tracking software. "I was searching for memory leaks and such stuff when I saw this logical bug," he said.
Esser describes exploiting the vulnerability on Solaris Sparc systems as "very easy." PHP running on x86 systems is not susceptible to attackers running arbitrary code on the system. However, attackers could still potentially exploit the flaw to crash PHP or the Web server running on x86 systems, the PHP Group said in an advisory. Esser said he has not tested the flaw on other systems.
A worm could theoretically be created to take advantage of the flaw, said Chris Rouland, director of Internet Security Systems' X-Force. The flaw would be a desirable target for virus writers as PHP works on port 80 and hence comes through the firewall.
Rouland has seen some circumstantial evidence that the flaw may have been manually exploited. Yesterday, he saw a five-fold increase in Web site defacements, most of which were running Linux and Apache. "We pay attention to defacements as they are a barometer of what's going on out there," he said.
Users of affected systems should patch their systems or upgrade as soon as possible. The PHP Group has released a new PHP version, 4.2.2, which incorporates a fix for the vulnerability. A patch is also available. While waiting to do this, users could deny POST requests as a workaround, the PHP Group said.
Esser hopes people won't use the vulnerability as a weapon against PHP, especially given the security history of many closed source software products. "A lot of people will use this incident to tell the world that PHP is an insecure language," he said. "It is hard to predict how many people will blindly follow and stop using it."