The open-source PHP Group has released a fix for a pair of security holes that could be exploited to execute arbitrary code on remote PHP servers.

The flaws affect PHP versions 4.3.7 and prior and version 5.0.0RC3 and prior. The final version of PHP 5.0, which was released earlier this week, is not affected.

Fixes have been included in the updated PHP 4.3.8, and the PHP Group is strongly encouraging users to upgrade.

According to research firm Secunia, the flaws carry a "highly critical" rating, because it could allow malicious attackers to seize control of vulnerable servers and use a Web browser to launch dangerous code.

The flaws were discovered by E-matters researcher Stefan Esser during a re-audit of the PHP code. Esser posted an alert online to warn that the vulnerabilities affect PHP servers with activated "memory_limit."

"During a re-audit of the memory_limit problematic it was discovered that it is possible for a remote attacker to trigger the memory_limit request termination in places where an interruption is unsafe. This can be abused to execute arbitrary code on remote PHP servers," the researcher warned.

Essert said the more serious of the two bugs was "quite easy to exploit" and is exploitable on any platform.

The second flaw was found in PHP's "strip_tags()" function that fails to strip obfuscated HTML tags. Essert said the hole could be exploited to conduct cross-site scripting attacks against sites, which only rely on the "strip_tags()" functionality to prevent such attacks.

PHP is a general-purpose scripting language that is backed by the open-source Apache Project. It is shipping standard with a number of Linux-powered Web servers as an Apache module and has enjoyed startling usage growth over the last four years. According to Netcraft statistics for June 2004, PHP is currently in use on at least 16 million domains.