PHP Scripting Flaws Leave Huge Number of Web Sites Open to Attack

Update: The PHP Group released fixes PHP 5.4.3 and PHP 5.3.13 Tuesday evening, available for download here.

Attackers have begun exploiting two separate flaws in the PHP scripting language found in a large majority of Web sites.

The first vulnerability, which was privately disclosed to the PHP Group in January, could allow attackers to steal source code or insert malware. The exploit works by modifying how PHP setups parse query string parameters from PHP files in a Common Gateway Interface (CGI) configuration.

The hole makes it possible to interpret URL query strings that contain the "-" character as a command line switch. Hackers can use that flaw to access the source code or run a specially crafted remote code execution attack.

The attacks currently are active. Security firm Trustwave SpiderLabs reported yesterday seeing the PHP attack being exploited via its honeypot, which is set to monitor Web attacks.

According to the PHP Group, organizations can easily check to see if their Web site is vulnerable to attack.

"If you are using Apache mod_cgi to run PHP you may be vulnerable," wrote the PHP Group in a message on its Web site. "To see if you are, just add ?-s to the end of any of your URLs. If you see your source code, you are vulnerable. If your site renders normally, you are not."

While the vulnerability was privately disclosed to the PHP Group, the issue became public when the flaw was accidently leaked online.

"Making a bad week worse, we had a bug in our bug system that toggled the private flag of a bug report to public on a comment to the bug report causing this issue to go public before we had time to test solutions to the level we would like," said the PHP Group.

In response to the information leak, the PHP Group released PHP 5.3.12 and PHP 5.4.2 as emergency fixes. However, shortly after release, it was discovered that the updates could be easily bypassed. "The security emergency release to fix the PHP CGI RCE (that was tested for days...) does not fix anything at all," wrote Stefan Esser, creator of the Suhosin PHP security extension, in a Twitter message.

Still, the PHP Group advises that organizations apply the flawed updates and test their system to see if they are still vulnerable. If so, a workaround can be found here.

An additional PHP update is scheduled to be released sometime today.

"Another set of releases are planned for Tuesday, May, 8th," said the PHP Group. "These releases will fix the CGI flaw and another CGI-related issue in apache_request_header (5.4 only)."

About the Author

Chris Paoli is the site producer for and


  • Microsoft Hires Movial To Build Android OS for Microsoft Devices

    Microsoft has hired the Romanian operations of software engineering and design services company Movial to develop an Android-based operating system solution for the Microsoft Devices business segment.

  • Microsoft Ending Workflows for SharePoint 2010 Online Next Month

    Microsoft on Monday gave notice that it will be ending support this year for the "workflows" component of SharePoint 2010 Online, as well as deprecating that component for SharePoint 2013 Online.

  • Why Windows Phone Is Dead, But Not Completely Gone

    Don't call it a comeback (because that's not likely). But as Brien explains, there are three ways that today's smartphone market leaves the door open for Microsoft to bring Windows back to smartphones.

  • Feature Update Deferral Mix-Up in Windows 10 Version 2004 Further Explained

    Microsoft last week described the confusion it is attempting to avoid by removing the client graphical user interface (GUI)-based controls to defer Windows 10 feature updates, starting with version 2004.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.