Serious PHP flaw found

Hackers in the libraries

By Nick Farrell

Thu Aug 25 2005, 17:04

SECURITY BOFFINS have found a critical vulnerability in two PHP libraries that are used to provide web services and content management systems.

PHP, is one of the most widely used scripting language on the web and the flaws are in the XML-RPC for PHP and PEAR XML-RPC libraries.

Similar flaws were discovered in July and prompted an audit of the libraries by the Hardened-PHP Project, a group that was founded to protect PHP users and servers against security holes.

According to the Projects advisory here, the new flaw takes advantage of a technique similar to the earlier vulnerabilities, which involved eval() statements.

"To get rid of this and future eval() injection vulnerabilities, the Hardened-PHP Project has developed, together with the maintainers of both libraries, a fix that completely eliminates the use of eval() from the library", the report said.

Linux distributiors such as Red Hat and Gentoo have already issued patches, but perhaps the biggest problem will be for those who have used content management systems are built using PHP, such as PostNuke, Drupal, b2evolution and TikiWiki.

Apple releases Mac OS X 10.7.3 A gigabyte of patches Thursday, 2 February 2012, 15:22 PM Read more	Newly patched Safari flaws pose serious risks A proof-of-concept remote code execution exploit is available Thursday, 13 October 2011, 11:26 AM Read more
Firefox and Thunderbird 7 have critical security patches No fix for BEAST SSL/TLS attack yet Wednesday, 28 September 2011, 14:23 PM Read more	Wordpress blogs are at risk Hole found in a popular third-party script Wednesday, 3 August 2011, 15:11 PM Read more
Wordpress update fixes security flaws Stop your website from getting hacked Wednesday, 6 April 2011, 12:55 PM Read more	Nokia asks users what excites them about the Microsoft deal The answer? Not a thing Thursday, 24 February 2011, 16:45 PM Read more

Comments

There are no comments submitted yet. Do you have an interesting opinion? Then be the first to post a comment.

INQ White papers

Databases

Network management

Security

Service oriented architecture

Storage

INQ Jobs

Technical/Customer Support

Technical/Customer Support ...

INQ Poll

Authorities in several countries raided Megaupload recently, shut down all of its services, seized hundreds of servers and arrested several of its executives on criminal charges.

Do you think the move was justified?

Yes, companies should suffer an immediate death penalty upon being accused of copyright infringement.

Yes, the coppers said the company was breaking the law so it must be guilty.

No, the company and the people accused are innocent until proven guilty.

No, the company had millions of customers who have been harmed by having access to their data files cut off.

I don't care, I never used Megaupload anyway.

View other polls

© Incisive Media Investments Limited 2012, Published by Incisive Financial Publishing Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, are companies registered in England and Wales with company registration numbers 04252091 & 04252093

SEARCH :

Site Credentials:

Business & Technology websites:

Business research resources:

Products:

Investment Market IT websites:

Find out what you are worth:

Salary Calculator

Search for a job:

Recruitment Agency A-Z Directory

Accreditations:

Digital Publisher of the Year 2010

Serious PHP flaw found

Share this:

RIM Playbook OS 2.0 and Blackberry 7.1 video demo

Nokia Lumia 710 video review