January 29th, 2002, 07:37 AM
Script execution vulnerability in PHP 4.0..
SCRIPT EXECUTION VULNERABILITY IN PHP 4.0 FOR APACHE
Paul Brereton discovered a vulnerability in PHP 4.0 for Windows using Apache Web Server 2.0. By exploiting PHP's ability to view files residing outside the usual HTML root directory, an attacker can execute arbitrary code by inserting a malicious PHP-based command into the Apache log file. PHP has been notified, but no fix is currently available.