28 February 2002 The open-source scripting language PHP has a security flaw that could allow hackers to attack a large number of open-source web servers, according to a new security alert.

While PHP – which was originally called Personal HomePage – can be installed on a variety of web servers, the threat is thought to be greatest to web servers running on the Linux and Solaris operating systems. This could affect millions of web sites using the open-source Apache Web server and Sun Microsystems’ iPlanet Web Server product.

PHP allows web developers to create web pages on the fly with relational database back ends. It is a highly regarded open source tool. But while security experts have warned that it is a difficult to exploit the flaw, the tools to do so are thought to already be in the hands of a network of hackers.

The security holes were discovered by a member of the PHP engineering team. The US government funded security body, the Computer Emergency Response Team (CERT), has also issued a warning.

The flaws comprise of processing overflow weaknesses and problems with boundary checks. This could enable a hacker to crash a web server or gain full access to it.

For example, once a hacker has gained access to an organisation’s web server it is relatively easy for them to carry out a malicious “application-layer” attack, such as deleting data from an online bank account, according to Tal Gilat, CEO of application-layer security software vendor KaVaDo.

To avert problems, organisations running their web sites on Linux or Solaris operating systems should upgrade to the latest version of PHP, version 4.1.2, according to the PHP website.