By Staff

A vulnerability in the PHP scripting language, which is commonly used in Web site development, could enable attackers to execute code that crashes or disrupts Web servers.

PHP is developed by the Apache Software Foundation, a decentralized community of developers. As such, it is often associated with the open-source Apache Web servers, although PHP also runs on Microsoft Internet Information Server, iPlanet and other Web servers.

Vulnerabilities exist in the file upload functions in multiple versions of PHP, including 3.0, 4.06 and 4.10/4.11, that could result in buffer overflows. A new version, 4.1.2, has been released that repairs the vulnerablity. It is available at

The vulnerabilities were reported Wednesday by, a virtual organization of intrusion detection experts that is affliliated with the SANS Insitute. The CERT Coordination Center (CERT/CC) at Carnegie Mellon University, another vulnerability tracking organization, issued an alert the same day.

CERT/CC recommends users protect themselves by upgrading to the new version. If that is not possible, a series of patches are available for different PHP versions.

If updgrading or patching is not possible, CERT/CC says users should disable the file upload support in PHP. The group also has a list of vendor-specific information on its Web site at the URL referenced above.