A posting over the weekend to the development homepage of forum software phpBB highlighted the issue, which had already been picked up by security consultants Secunia on Thursday.
The exploit, which affects php versions prior to 4.3.10 or 5.0.3, uses errors in the way that serialisation and realpath commands are handled to gain escalated privileges, bypass some security restrictions and compromise a vulnerable system. Many web administrators are suffering problems from hackers that have been quick to do what damage they can - we know that Inq favourite the Ace of Spodes has been having troubles.
The solution to the exploit is to upgrade to the latest version of php - either 4.3.10 or 5.0.3, depending on which thread you are running. The 4.3.10 build also includes some 5.x bugfixes and features which have been ported backwards.
Our very own barmy Argentinian, Fernando Cassia, reports that the development tool Zend Optimizer is broken by 4.3.10, so any budding programmers will want to patch up Zend to the latest version. µ
Sign up for INQbot – a weekly roundup of the best from the INQ