PHP Team Patches DoS Bugs
The PHP Development Team released updates to the PHP 4 and 5 code base, fixing two security vulnerabilities that open the door to Denial-of-Service (DoS) attacks Wednesday.
Source: Internet NewsPHP is a popular open source scripting language used by Web developers. In February, an anonymous researcher discovered that two functions that handle images uploads used within PHP 4 and 5 (php_handle_iff and php_handle_jpeg) could be manipulated to create infinite loops in the program.
The infinite loop, in turn, consumes 100 percent of the system's CPU and crashes the system. Both vulnerabilities require the attacker to upload a malicious image to the getimagesize() routine and affects PHP versions 4.2.2, 4.3.9, 4.3.10 and 5.0.3. The routine is used to determine the size and dimensions of image file formats like GIF, JPEG and TIFF.
At risk are sites running PHP that allow users to upload images to the Web server, like photo blogs or wikis. Michael Sutton, director of iDefense labs, said the vulnerabilities aren't considered critical bugs because they only bring down the system; the bugs won't allow a malicious hacker to take over the Web server.
0