March 2nd, 2002, 08:28 AM
[News] - PHP Security Issue
The below is from E-Commerce Times
Security watchdog groups said Wednesday that a common application used to run Web servers was found to contain several major security holes. The flaws could enable hackers to interrupt normal Web operations or execute arbitrary lines of code.
Both the Coordination Center of the Computer Emergency Response Team (CERT) at Carnegie Mellon University and e-Matters, a German security firm, posted advisories for those whose Web servers run a scripting language used in Web development called PHP.
PHP creates Web pages from a database. According to both security groups, all versions of PHP are affected by the security flaws, though patches and upgrades are available.
Steve Hunt, vice president of research and security at Giga Information Group, told NewsFactor that while the hole is serious, exploiting it would be difficult for anyone seeking entry into a Web server.
"There are so many other, easier ways for a bad guy to do bad things," Hunt noted.
Various Applications Affected
Web servers running Apache, Microsoft's Internet Information Server, Netscape, iPlanet and OmniHTTPd are among those affected.
The security firms pointed to Linux and Solaris operating systems as the two platforms most at risk, although other operating systems also can run the PHP language.
Jim Hurley, vice president for security and privacy at Aberdeen Group, told NewsFactor that those running Linux are most at risk.
"For anybody that has Linux out there, most likely you've got PHP in the environment. And if it's accessible, it could be accessed by anybody and could lead to problems of ownership over the machine," said Hurley.
Compared with Web servers running Microsoft IIS or Mac OS X, Hurley said he believes the Linux group will spend the most time installing patches and upgrades.
SNMP Security Flaw
Another recent major security hole was found earlier this month by CERT.
The SNMP networking protocol, or Simple Network Management Protocol, a method of monitoring and managing network devices used by dozens of hardware makers and Internet service providers, was found to have security flaws that make devices using the protocol susceptible to hackers.
In that case, the security alert extended beyond university and commercial networks as security experts warned consumers of the danger that computers, scanners, printers and other devices hooked up to a network could face. They urged consumers to apply all relevant patches and upgrades to solve the problem.
Common, Uncommon Elements
Giga's Hunt explained that the SNMP and PHP security holes have one thing in common. "Their similarity is in the ease of their fix," he said, noting that required patches and upgrades are readily available.
Hurley noted that while SNMP is more pervasive than PHP, its flaw was less threatening because networks using it in an enterprise environment generally are located behind protective firewalls.
"PHP provides anyone on the Internet with access to the Web server, and therefore to anything else within the firewalls," Hurley said.
Microsoft (Nasdaq: MSFT), Cisco (Nasdaq: CSCO), Netscape, Nokia, Lucent (NYSE: LU), Hewlett-Packard (NYSE: HWP), Novell (Nasdaq: NOVL) and Lotus were among the companies named by CERT as having software that could be affected by the SNMP security flaw.